Cybersecurity ranks second among corporate treasuries' top areasof concern for the next three years. That's according tonearly 400 treasury professionals surveyed in the Association forFinancial Professionals' (AFP's) 2019 Risk Survey, sponsored by Marsh &McLennan.

This is hardly surprising. Cyberattacks are becoming more andmore common, with criminals expected to steal around 33 billionrecords in 2023, up from 12 billion records in 2018, according to“Cybercrime & the Internet of Threats 2018”from Juniper Research. Meanwhile, bad actors are using anassortment of malicious tactics—including phishing, wire transfer fraud, and vendor-payment fraud—and corporatevulnerabilities (such as software that hasn't been properlyupdated, networks with security exposures, and unencrypted data) toaccess companies' capital and sensitive data. When these exploitsare successful, the organization's reputation can be severely damaged, and it maylose the trust of customers or clients.

And yet, despite so much writing on the proverbial wall, the“Global Cybersecurity Status Report” from ISACAInternational found that only 38 percent of global organizationseven claim to be prepared to handle a sophisticated cyberattack.Perhaps that is partly a result of the finding of Ponemon Institute research that 77 percent of ITprofessionals believe their organization does not have a formalcybersecurity incident response plan. There is a clear disconnectbetween enterprises' outlook on the risk they face as a result ofcybersecurity failings and their ability to adapt to thatreality.

This conundrum is increasingly front and center for corporatetreasurers and their teams. Corporate treasury departments connectall lines of business and the C-suite, which makes them acompelling cyberattack target. So, too, does the fact that mostcorporate funds flow through the treasury function. As a companyscales up and its scope of operations widens, its risk profilebecomes more complex. Thus, its treasury department mustproactively manage cybersecurity risk across personnel andtechnology, using a wide array of checks and measures.

To help corporate treasury employees protect themselves, werecommend three approaches to addressing modern cyberthreats:

1.  Build better processes for evaluating andmitigating risks within treasury.

In my experience helping asset managers, hedge funds, andcorporate treasury departments improve their cyber hygiene, I'vefound that the efficacy of cybersecurity programs correlatesclosely with the degree of rigor with which governance isapplied.

Hold regular risk reviewmeetings.  One core facet of good governanceis holding regular risk reviews and protocol meetings with keystakeholders and executives across the organization. The purpose ofthese meetings is to monitor different corporate departments forthe proper application of cybersecurity policies and to gaugewhether the company needs a more fluid testing process. By “fluid,”I mean testing that enables the organization, at a moment's notice,to recalibrate how it weights the significance of different cyberrisks.

Increase sophistication of riskscoring.  The traditionally static andternary way of scoring risks as “high,” “medium,” or “low” (oftenlabeled using red, yellow, and green icons) is flawed in that itfails to evaluate how a threat can escalate as it provides greateraccess to a company's internal network. For example, suppose thatSupplier X is a third-party vendor with a direct connection intothe network of Company Y. If Supplier X experiences a data breach,Company Y should immediately escalate the level of threat itperceives Supplier X as posing to its network. Access by thevendor's employees may need to be limited, or their activitiesmonitored more closely for a while. Another example of riskcomplexity is a scenario in which Supplier X relies on a fourthparty—say, Outsourcer Z—to complete its scope of work. Even ifSupplier X keeps its network secure, if Outsourcer Z gains accessto Company Y's network or data, then Company Y needs to increasethe level of perceived threat of Supplier X. In both of theseinstances, Company Y can deploy automated security solutions, suchas “smart” firewalls, to detect changes in the threat level usingmachine learning, then adjust security controls accordingly.

We encourage corporate treasurydepartments to adopt scoring systems that define risk based on abroad combination of factors. These factors may include the firm'svulnerability to a specific type of risk, the probability of athreat actor exploiting it, the value of the data that is at risk,the efficacy of controls the company has in place, and the outcomeit desires. The risk scoring system should also take into accountthe age of the vulnerability, which may be defined as either thelength of time the organization has been open to exploitation orthe elapsed time since the flaw was discovered.

To set expectations for the length of time that detection,isolation, and resolution of a cybersecurity incident should take,corporate treasurers can defer to industry benchmarks such asVerizon's most recent “Data Breach Investigations Report” or studiesby independent research firms like Ponemon Institute. The “2017Cost of Data Breach Study” from Ponemon, for example, estimatesthat it takes organizations an average of 191 days to identify adata breach and 66 days to contain it. While the length of timeconsidered acceptable for threat detection and response variesgreatly between systems, this research can provide a referencepoint based on real-world examples.

Test treasury employees. Another important component of governance programs is the rigorousand specialized testing of individual employees within thecorporate treasury department. Such tests are crucial because oftreasury teams' proximity to, and easy access to, company capital.One example is “grey-hat hacking,” whereby treasury departmentsassign a third-party expert (such as Agio) to breach their defenses and move moneyfrom one corporate bank account to a different bank owned by thesame financial institution. A successful infiltration exercise, andsubsequent analysis of the process by cybersecurity experts, cangive a treasury group information they can use to build out customfunctions that better protect their systems.

Develop comprehensive data maps and data retentionpolicies.  At the same time, corporatetreasury departments should be mapping the organization's storageof relevant data. This may include any information tied to acustomer account, a vendor agreement, or a company workflow. Loanpayment schedules and lists of professionals approved to authorizepayments, investments, capital calls, and other transactions shouldcertainly be mapped—criminals armed with this information couldcoordinate an attack by inserting themselves into the expected flowof payments.

Enterprises typically have a vague sense of what types of datathey're storing, but effective cybersecurity requires a more robustdata map than most have, a map that details where and how each dataset is currently located, as well as the optimal length of timethat the company will store each type of information. Considerinvestor relations (IR) data, for example. IR professionals whoaccess investors' contact information and account numbers forpurposes of dividend payments via wire transfers may export thesedetails from their customer relationship management (CRM) databaseto support a marketing analysis. If they save this data on a newdevice—or, worse, send it to an external marketing firm—they areintroducing a risk that the company's data security team should beaware of. The data map needs to be updated, and IR needs to put inplace a process ensuring that the data is deleted once themarketing analysis is complete.

Very few treasury people understand the final destination of alltheir data. They may initiate payments in an accounts payable (A/P)system, submit payment files to the bank through their treasuryworkstation, and make corresponding entries into the enterpriseresource planning (ERP) system's general ledger. But they may notfully understand how long payment data will reside in all thevarious systems, who will have access to the information before itis deleted, where the backups will be stored and for how long,etc.

Data that is no longer valuable to the company should bedestroyed, but many organizations lack a routine and regimentedprocess for disposing of even the most sensitive data. Such ascenario presents a compelling payload for criminals who can findvalue outside the organization for data related to payments andcash flows.

Companies need to think non-traditionally about risk. Many areslow to move away from antiquated security measures. In thosebusinesses, treasury leaders may need to take the initiative tohelp drive the organization to confront a modern threat landscaperife with evolving malicious tactics like social engineering.

2.  Establish the right security criteria forselecting technology vendors.

Recent research from Soha Systems suggests that63 percent of all data breaches start with a vendor's cybervulnerabilities. This daunting statistic is compounded by the PwC finding that only 52 percent of firmshave formal security standards for their third-party providers.

As corporate treasury professionals continue to onboard newtechnologies, it's important to hold vendors accountable for thesolutions they provide. A treasury team may work with dozens ofdifferent vendors—all of which have varying levels ofsophistication in their cyber hygiene practices and presentdifferent degrees of risk, depending on what corporate data theyhave access to.

Any software purchased or licensed from a third party should beequipped with some means of automated anomaly detection, amechanism that sends an alert to relevant parties whenever itdetects strange behavior. For example, an alert might be triggeredif two different IP addresses log into one individual account overa period of time so short that it raises suspicions. Likewise, thetreasury team might be notified if the software detects anunusually large volume of downloads or failed logins in a day, orif it notices irregular patterns in creation of accounts for use ofthe software. We call these indicators that bad actors are tryingto breach a system “indications of compromise,” or IOCs, and theyare usually the first step in a sophisticated multi-stepcyberattack.

Corporate treasury departments should also place greateremphasis on whether vendors proactively identify and defend clientsagainst threats. In work with clients in the financial servicessector, we've seen vendors try to pass the buck back to the clientmore times than I can count. Vendors may not have legal liabilityfor the data stored in their systems, but they should providecorporate treasury departments with real-time updates and periodicreports on the threat landscape facing the product or servicethey're affiliated with.

Considering the pronounced risk they present, it's critical thattreasury teams categorize vendors accurately based on their riskprofile and, in turn, apply an appropriate level of scrutiny toeach merchant.

3.  Communicate treasury's needs to managementand other areas of the business.

As enterprise risks evolve, corporate treasury departments willneed support from across the organization. Treasury personnel mustalso be able to effectively communicate their cyber posture to thecompany's board, providing sufficient levels of detail in termsthat executives removed from the front lines of the business canunderstand. This may include justification of budgets forcybersecurity needs, explanation of the company's current state ofcompliance with data regulations and industry frameworks, progressmade in the wake of a data privacy breach, findings of periodicreviews, and updates on any changes put in place as a result.

Regular updates, reviews, and meetings with senior managers arecritical. The C-suite approves investments in cybersecurityprotection. Receiving security upgrades depends on executivesunderstanding what is at stake and why additional protection may benecessary. These meetings need to be structured with a formalagenda, including post-meeting action and remediation plans so thatparticipants can start to see and feel the progress being made.

Quarterly meetings with the executive team should carve out timefor information security staff to:

• update senior leaders about ongoing risk assessments and datamapping exercises;
• provide a comprehensive brief on newly identified risk areasrequiring critical oversight; and
• review industrywide threat intelligence, when available, tounderstand the cyberthreats their competitors areencountering.

The C-suite plays a key role in determining cybersecurity policyfor the treasury function. Anytime a request to move money comesthrough, the treasury or finance professionals tasked with carryingout the request need to validate the authenticity through a meansother than email. A robust process for handoff of financial data orother sensitive information should mix virtual interactions withreal-world ones, as a means of confirming each request'sauthenticity. The C-suite needs to be involved in establishing thisprocess so that they understand why treasury needs theauthentication they are asking for and how a delayed response to anauthentication request might affect a wire payment or other fundstransfer.

Senior management should also be involved in developing thetreasury department's response plan in the event of a cybersecuritythreat; the response plan needs to outline the steps to effectivecommunication in such a crisis situation. This playbook shoulddetail who is on the incident response team, what theirresponsibilities are, how the scope of a breach is determined, howbest to notify customers and investors, the legal and compliancerequirements the company will need to meet as it responds, and howto manage internal and external communications.

Separate monthly meetings with key stakeholders from IT,operations, legal, human resources, investor relations, andcompliance, as well as the lines of business, should be used toupdate managers in these areas about the results of ongoing riskassessments, data mapping exercises, and incident response plans.Keeping the lines of communication open with leaders throughout thecompany will help treasury share the cybersecurity burden in termsof intelligence, labor, and other resources, ultimately reducingthe cost burden of cyber assessments. Such meetings are also idealfor discussion around budgetary needs and organizing companywidetraining sessions around payments controls and cybersecurity.

The path to protecting the enterprise is complex. Fromprioritizing a close review of software patches to thoroughlyvetting vendors and maintaining a fluid testing process catering tohumans and technology, corporate treasury professionals must refinetheir understanding of cyber risks and best practices foraddressing them.

Bart McDonough isCEO and founder of Agio, a hybrid managed IT and cybersecurityservices provider for companies in the financial services,healthcare, and payments industries. In this role, McDonough usesmore than 20 years of experience across cybersecurity, businessdevelopment, and IT management to design risk managementstrategies, controls, and models that protect his clients' mostprecious assets: money and reputation. He is also the authorof Cyber Smart: Five Habits to Protect Your Family, Money, andIdentity from Cyber Criminals, and he sits on the board of twocybersecurity firms, TwoSense.AI and Magnus Cloud.