Cybersecurity ranks second among corporate treasuries’ top areas of concern for the next three years. That’s according to nearly 400 treasury professionals surveyed in the Association for Financial Professionals’ (AFP’s) 2019 Risk Survey, sponsored by Marsh & McLennan.
This is hardly surprising. Cyberattacks are becoming more and more common, with criminals expected to steal around 33 billion records in 2023, up from 12 billion records in 2018, according to “Cybercrime & the Internet of Threats 2018” from Juniper Research. Meanwhile, bad actors are using an assortment of malicious tactics—including phishing, wire transfer fraud, and vendor-payment fraud—and corporate vulnerabilities (such as software that hasn’t been properly updated, networks with security exposures, and unencrypted data) to access companies’ capital and sensitive data. When these exploits are successful, the organization’s reputation can be severely damaged, and it may lose the trust of customers or clients.
And yet, despite so much writing on the proverbial wall, the “Global Cybersecurity Status Report” from ISACA International found that only 38 percent of global organizations even claim to be prepared to handle a sophisticated cyberattack. Perhaps that is partly a result of the finding of Ponemon Institute research that 77 percent of IT professionals believe their organization does not have a formal cybersecurity incident response plan. There is a clear disconnect between enterprises’ outlook on the risk they face as a result of cybersecurity failings and their ability to adapt to that reality.
This conundrum is increasingly front and center for corporate treasurers and their teams. Corporate treasury departments connect all lines of business and the C-suite, which makes them a compelling cyberattack target. So, too, does the fact that most corporate funds flow through the treasury function. As a company scales up and its scope of operations widens, its risk profile becomes more complex. Thus, its treasury department must proactively manage cybersecurity risk across personnel and technology, using a wide array of checks and measures.
To help corporate treasury employees protect themselves, we recommend three approaches to addressing modern cyberthreats:
1. Build better processes for evaluating and mitigating risks within treasury.
In my experience helping asset managers, hedge funds, and corporate treasury departments improve their cyber hygiene, I’ve found that the efficacy of cybersecurity programs correlates closely with the degree of rigor with which governance is applied.
Hold regular risk review meetings. One core facet of good governance is holding regular risk reviews and protocol meetings with key stakeholders and executives across the organization. The purpose of these meetings is to monitor different corporate departments for the proper application of cybersecurity policies and to gauge whether the company needs a more fluid testing process. By “fluid,” I mean testing that enables the organization, at a moment’s notice, to recalibrate how it weights the significance of different cyber risks.
Increase sophistication of risk scoring. The traditionally static and ternary way of scoring risks as “high,” “medium,” or “low” (often labeled using red, yellow, and green icons) is flawed in that it fails to evaluate how a threat can escalate as it provides greater access to a company’s internal network. For example, suppose that Supplier X is a third-party vendor with a direct connection into the network of Company Y. If Supplier X experiences a data breach, Company Y should immediately escalate the level of threat it perceives Supplier X as posing to its network. Access by the vendor’s employees may need to be limited, or their activities monitored more closely for a while. Another example of risk complexity is a scenario in which Supplier X relies on a fourth party—say, Outsourcer Z—to complete its scope of work. Even if Supplier X keeps its network secure, if Outsourcer Z gains access to Company Y’s network or data, then Company Y needs to increase the level of perceived threat of Supplier X. In both of these instances, Company Y can deploy automated security solutions, such as “smart” firewalls, to detect changes in the threat level using machine learning, then adjust security controls accordingly.
We encourage corporate treasury departments to adopt scoring systems that define risk based on a broad combination of factors. These factors may include the firm’s vulnerability to a specific type of risk, the probability of a threat actor exploiting it, the value of the data that is at risk, the efficacy of controls the company has in place, and the outcome it desires. The risk scoring system should also take into account the age of the vulnerability, which may be defined as either the length of time the organization has been open to exploitation or the elapsed time since the flaw was discovered.
To set expectations for the length of time that detection, isolation, and resolution of a cybersecurity incident should take, corporate treasurers can defer to industry benchmarks such as Verizon’s most recent “Data Breach Investigations Report” or studies by independent research firms like Ponemon Institute. The “2017 Cost of Data Breach Study” from Ponemon, for example, estimates that it takes organizations an average of 191 days to identify a data breach and 66 days to contain it. While the length of time considered acceptable for threat detection and response varies greatly between systems, this research can provide a reference point based on real-world examples.
Test treasury employees. Another important component of governance programs is the rigorous and specialized testing of individual employees within the corporate treasury department. Such tests are crucial because of treasury teams’ proximity to, and easy access to, company capital. One example is “grey-hat hacking,” whereby treasury departments assign a third-party expert (such as Agio) to breach their defenses and move money from one corporate bank account to a different bank owned by the same financial institution. A successful infiltration exercise, and subsequent analysis of the process by cybersecurity experts, can give a treasury group information they can use to build out custom functions that better protect their systems.
Develop comprehensive data maps and data retention policies. At the same time, corporate treasury departments should be mapping the organization’s storage of relevant data. This may include any information tied to a customer account, a vendor agreement, or a company workflow. Loan payment schedules and lists of professionals approved to authorize payments, investments, capital calls, and other transactions should certainly be mapped—criminals armed with this information could coordinate an attack by inserting themselves into the expected flow of payments.
Enterprises typically have a vague sense of what types of data they’re storing, but effective cybersecurity requires a more robust data map than most have, a map that details where and how each data set is currently located, as well as the optimal length of time that the company will store each type of information. Consider investor relations (IR) data, for example. IR professionals who access investors’ contact information and account numbers for purposes of dividend payments via wire transfers may export these details from their customer relationship management (CRM) database to support a marketing analysis. If they save this data on a new device—or, worse, send it to an external marketing firm—they are introducing a risk that the company’s data security team should be aware of. The data map needs to be updated, and IR needs to put in place a process ensuring that the data is deleted once the marketing analysis is complete.
Very few treasury people understand the final destination of all their data. They may initiate payments in an accounts payable (A/P) system, submit payment files to the bank through their treasury workstation, and make corresponding entries into the enterprise resource planning (ERP) system’s general ledger. But they may not fully understand how long payment data will reside in all the various systems, who will have access to the information before it is deleted, where the backups will be stored and for how long, etc.
Data that is no longer valuable to the company should be destroyed, but many organizations lack a routine and regimented process for disposing of even the most sensitive data. Such a scenario presents a compelling payload for criminals who can find value outside the organization for data related to payments and cash flows.
Companies need to think non-traditionally about risk. Many are slow to move away from antiquated security measures. In those businesses, treasury leaders may need to take the initiative to help drive the organization to confront a modern threat landscape rife with evolving malicious tactics like social engineering.
2. Establish the right security criteria for selecting technology vendors.
Recent research from Soha Systems suggests that 63 percent of all data breaches start with a vendor’s cyber vulnerabilities. This daunting statistic is compounded by the PwC finding that only 52 percent of firms have formal security standards for their third-party providers.
As corporate treasury professionals continue to onboard new technologies, it’s important to hold vendors accountable for the solutions they provide. A treasury team may work with dozens of different vendors—all of which have varying levels of sophistication in their cyber hygiene practices and present different degrees of risk, depending on what corporate data they have access to.
Any software purchased or licensed from a third party should be equipped with some means of automated anomaly detection, a mechanism that sends an alert to relevant parties whenever it detects strange behavior. For example, an alert might be triggered if two different IP addresses log into one individual account over a period of time so short that it raises suspicions. Likewise, the treasury team might be notified if the software detects an unusually large volume of downloads or failed logins in a day, or if it notices irregular patterns in creation of accounts for use of the software. We call these indicators that bad actors are trying to breach a system “indications of compromise,” or IOCs, and they are usually the first step in a sophisticated multi-step cyberattack.
Corporate treasury departments should also place greater emphasis on whether vendors proactively identify and defend clients against threats. In work with clients in the financial services sector, we’ve seen vendors try to pass the buck back to the client more times than I can count. Vendors may not have legal liability for the data stored in their systems, but they should provide corporate treasury departments with real-time updates and periodic reports on the threat landscape facing the product or service they’re affiliated with.
Considering the pronounced risk they present, it’s critical that treasury teams categorize vendors accurately based on their risk profile and, in turn, apply an appropriate level of scrutiny to each merchant.
3. Communicate treasury’s needs to management and other areas of the business.
As enterprise risks evolve, corporate treasury departments will need support from across the organization. Treasury personnel must also be able to effectively communicate their cyber posture to the company’s board, providing sufficient levels of detail in terms that executives removed from the front lines of the business can understand. This may include justification of budgets for cybersecurity needs, explanation of the company’s current state of compliance with data regulations and industry frameworks, progress made in the wake of a data privacy breach, findings of periodic reviews, and updates on any changes put in place as a result.
Regular updates, reviews, and meetings with senior managers are critical. The C-suite approves investments in cybersecurity protection. Receiving security upgrades depends on executives understanding what is at stake and why additional protection may be necessary. These meetings need to be structured with a formal agenda, including post-meeting action and remediation plans so that participants can start to see and feel the progress being made.
Quarterly meetings with the executive team should carve out time for information security staff to:
- update senior leaders about ongoing risk assessments and data mapping exercises;
- provide a comprehensive brief on newly identified risk areas requiring critical oversight; and
- review industrywide threat intelligence, when available, to understand the cyberthreats their competitors are encountering.
The C-suite plays a key role in determining cybersecurity policy for the treasury function. Anytime a request to move money comes through, the treasury or finance professionals tasked with carrying out the request need to validate the authenticity through a means other than email. A robust process for handoff of financial data or other sensitive information should mix virtual interactions with real-world ones, as a means of confirming each request’s authenticity. The C-suite needs to be involved in establishing this process so that they understand why treasury needs the authentication they are asking for and how a delayed response to an authentication request might affect a wire payment or other funds transfer.
Senior management should also be involved in developing the treasury department’s response plan in the event of a cybersecurity threat; the response plan needs to outline the steps to effective communication in such a crisis situation. This playbook should detail who is on the incident response team, what their responsibilities are, how the scope of a breach is determined, how best to notify customers and investors, the legal and compliance requirements the company will need to meet as it responds, and how to manage internal and external communications.
Separate monthly meetings with key stakeholders from IT, operations, legal, human resources, investor relations, and compliance, as well as the lines of business, should be used to update managers in these areas about the results of ongoing risk assessments, data mapping exercises, and incident response plans. Keeping the lines of communication open with leaders throughout the company will help treasury share the cybersecurity burden in terms of intelligence, labor, and other resources, ultimately reducing the cost burden of cyber assessments. Such meetings are also ideal for discussion around budgetary needs and organizing companywide training sessions around payments controls and cybersecurity.
The path to protecting the enterprise is complex. From prioritizing a close review of software patches to thoroughly vetting vendors and maintaining a fluid testing process catering to humans and technology, corporate treasury professionals must refine their understanding of cyber risks and best practices for addressing them.
Bart McDonough is CEO and founder of Agio, a hybrid managed IT and cybersecurity services provider for companies in the financial services, healthcare, and payments industries. In this role, McDonough uses more than 20 years of experience across cybersecurity, business development, and IT management to design risk management strategies, controls, and models that protect his clients’ most precious assets: money and reputation. He is also the author of Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals, and he sits on the board of two cybersecurity firms, TwoSense.AI and Magnus Cloud.