Information security for treasury has become a top priority as organizations struggle to defend themselves against internal and external fraud.

The numbers are frightening: According to the 2017 AFP Payments Fraud and Control Survey, 74 percent of participating companies were targets of payments-fraud attacks in 2016. Worse, 47 percent of those fraud attempts were successful, meaning that more than a third of all companies surveyed lost money last year due to fraud.

Treasury is a leading target for cybercriminals because of the sensitive information that the function protects, as well as the possibility of immediate payoff if unauthorized payments succeed. It is no surprise that information security is garnering so much attention within treasury functions.

Still, in many organizations, treasury maintains its own set of security policies that are neither aligned with, nor managed by, IT. This creates risk for the organization, as the treasury team may not be following the best practices employed by the company's chief information security officer (CISO). This disconnect may create exploitable opportunities for internal and external compromise of payments and other treasury data.

To minimize their function's risk, treasurers should leverage the growing fears of cybercrime and payments fraud as an opportunity to align treasury with corporate security requirements established by the CISO or other IT security executive. An effective treasury information security policy must support the company's overall objectives in four areas: application security, data security, payment controls, and payment screening.

1. Application Security

Application security is about protecting access to treasury and payment systems, including managing the credentials that are needed to log into these platforms. Fortunately, treasury teams widely agree that relying on a simple user ID and password is insufficient to protect access to treasury systems, since passwords can be stolen or guessed by hackers' algorithms.

The minimum standard for treasury application security is typically two-factor authentication, in which user ID and password are complemented by an additional, randomly generated security key. There are different ways to deploy two-factor authentication, including via hard token (a physical device) or soft token (SMS to your mobile phone). Most banks use this approach for access to their portals, which is why treasury professionals should be very familiar with, and comfortable employing, two-factor authentication for access to their treasury systems.

In addition to two-factor authentication, treasury teams can employ safeguards such as IP filtering and single sign-on. With IP filtering, the system requires additional information (e.g., security questions or an additional authentication measure) anytime a login attempt is coming from an unrecognized device. With single sign-on, IT actually manages all logins to the treasury system; users will log into a single internal account, such as Windows, and that connection drives access to corporate systems, including treasury. This puts IT in control of the treasury system's security, which is often viewed as a positive because IT staff can ensure that application security and user entitlements are centrally managed for all corporate employees.

Whatever the combination of application security protocols implemented, multiple options are always better than a single line of defense. And achieving consistency between treasury's controls and the rest of the organization is always a best practice, to ensure that treasury is not the weakest link in the organization's cybersecurity armor.

2. Data Security

Cloud-based treasury software has become extremely popular, from corporate treasury management systems to trading portals to bank software. Yet moving treasury information to the cloud also necessitates 100 percent encryption of corporate data when it's at rest on cloud servers. This is crucial so that if the hosting service provider's systems are ever compromised, the data will be unusable to unauthorized users. The IT team's due diligence on a new treasury cloud provider should include evaluating whether all data at rest is encrypted, and possibly whether key fields can be further encrypted at the application level.

In addition, any evaluation of a cloud provider should confirm that a reputable information security vendor regularly conducts penetration testing on the cloud-based systems, and provides written attestations to the results of the penetration testing program. These tests should include both blind and authenticated modes. Blind testing occurs when a security firm attempts to hack into the system without credentials, and looks for areas of vulnerability to external attackers. Authenticated testing occurs when an individual with authorized access to the system looks for opportunities to access data that they are not supposed to see.

3. Payment Controls

A company's payment controls need to be aligned to its global payment policies and consistently applied for all payment types, across all users, and in all geographies. Any exception creates risk, whether the exception is granted because the CEO asks for an urgent wire transfer or because the regional CFO is 12 time zones away.

Most treasury organizations do a good job of creating policies that balance who can initiate and approve payments, especially for firms where treasury is a global operation. Problems are more likely to arise in the execution of those policies, as treasury, accounting, and finance may use different systems for payments. Each system offers its own features for limits and approvals, so a companywide global payment policy may be difficult to implement.

For this reason, increasing numbers of CFOs are favoring payment factories and shared service centers. These centralized structures better align payment policies with a single set of payment controls. They also offer greater visibility into outgoing payments for treasury, which supports more efficient cash management and enables simpler reconciliation between the company's record of expected payments and the acknowledgement messages that are returned from the bank. Most treasury management systems can handle this reconciliation process so that any discrepancies can be flagged for immediate investigation.

Whatever degree of payment centralization exists, payment platforms should have a checklist of controls to document who has privileges to create and approve a payment, along with scenarios in which those privileges are suspended—for example, if the payment approver has modified a payment instruction. These safeguards, alongside an additional requirement for two-factor authentication at the point of payment approval, can help ensure that only approved payments are being sent from internal systems.

4. Payment Screening

Payment screening is the last line of defense against fraud. Treasury teams are familiar with the fact that their banks screen payments against sanction lists, such as OFAC in the United States and similar government-managed databases from the E.U. and U.N. Treasurers are usually notified by their banks if payments run afoul of such watch lists, yet that notification may occur a day or more after payments were transmitted to the bank.

Fortunately, treasury management systems are beginning to incorporate external sanction-list screening within their payment workflows so that treasury teams see the exact same screening results as their banks do, though they receive notification of issues much sooner than if they waited for the bank to provide notification. In some cases, the company may be able to identify offending payments before they are ever sent to the bank, which is yet another fraud control.

Treasury should not rely on external payment watch-list screening as the sole indicator of suspicious payment activity. Payments must also be screened against internally designed rules that are built around scenarios treasury wants to protect the company against—such as payments being sent to a recently updated bank account; transactions being modified after import from the ERP system; payments being transmitted to a beneficiary in a country where the organization does not have any suppliers; or a combination of payments that, in aggregate, exceed soft or hard payment limits.

These are only a few of the many scenarios that a company's systems should automatically screen payments against in real time so that treasury and/or internal audit can be alerted to suspicious payments before they are transmitted to the bank. Depending on the number of third-party payments that treasury and finance must analyze, data visualization may help direct attention to the most serious pending issues through use of different fonts, colors, and custom scoring.

Top 5 Ways to Align to the CISO

Combating payments fraud is difficult because, in many cases, companies lack the technology and personnel to properly implement global payment policies across all their systems. By working with the CISO or equivalent companywide leader to secure their systems, treasurers can help minimize the organization's risk of falling victim to payments fraud.

Here are 5 first steps for initiating this mutually beneficial relationship:

Request a list of security best practices, or the company's security policy, from your CISO. It's an easy ask and will enable treasury staff to identify any areas where treasury security policies differ from corporate policies in significant ways.
Acquire a list of data-security best practices and policies from the vendor of your treasury management system, and present this list to your CISO. Your vendor should have this information readily available. The treasury team's ability to adhere to policies and establish workflows that effectively protect corporate data will be useful in company compliance audits.
Establish security KPIs with your team. Effectively monitoring access to the corporate treasury management system will impress the CISO. Request a simple report on security access from your treasury management system vendor.
Request training on securing your treasury management solutions. As part of today's ongoing education for treasury certifications, many webinars and conference training sessions offer tips and best practices that reinforce the importance of secure passwords and multi-factor authentication. It's a good idea to ask your team to provide a list of the security training they've undergone, and to include that information in reports on the treasury function's security practices.
Treasury systems via VPN: New, best-in-class cloud solutions run in data centers and utilize data security services that most CISOs prefer to see. Nevertheless, there are options for enhancing security for companies that run their treasury management systems on-premises. One key security measure is ensuring that employees working from remote locations can access treasury data only via a locked-down and secure VPN.

Protecting systems from unauthorized users, always keeping data encrypted, and implementing a standard set of payment controls will help significantly reduce the risk of fraud. The final line of defense should be scenario-based payments screening to detect, in real time, any suspicious payments that need another look before being released.

As the era of non-bank payments, distributed ledgers, and real-time payments looms closer, the importance of great fraud prevention increases drastically.

———————————

Bob Stark is the vice president of strategy for Kyriba. In this role, he is responsible for that company's global product strategy and market development. Stark is a 19-year veteran of the treasury technology industry, having served in multiple roles at Wall Street Systems, Thomson Reuters, and Selkirk Financial Technologies. He is a regular speaker at treasury conferences, including AFP National, EuroFinance, and regional AFP events.

Instant Insights /

Team with the CISO to Keep Treasury Data Secure

Related Stories

Recommended For You