Remote working, and greater reliance on technology, is leading to a rapid increase in cyber-attacks and fraud attempts. Royston Da Costa, Assistant Group Treasurer, Ferguson, and Michael Juen, Chief Customer Officer, BELLIN, a Coupa company, explain how treasurers can build greater resilience against these threats – and weigh up the costs of investing in cybersecurity against the risks of taking no action.
It’s no secret: cybercrime is on the rise and the nature of attacks is evolving rapidly. Add to this the way in which Covid-19 has exposed many companies’ inability to quickly understand where their cash is – and the fact that, for many, remote working and all its extra security risks is here to stay – it becomes clear that doing nothing to increase corporate resilience is even less of an option than it was before.
Fortunately, many businesses are alert to the need to respond. As the nexus of some of the most important financial relationships, processes, systems and data, perhaps the most appropriate corporate function to take the lead in this effort is corporate treasury. But this is not about treasury becoming overnight security experts. Instead, this is about treasurers learning to see ‘the big picture’ and exploring how different cybersecurity measures can protect the business and, importantly, helping others in the organisation to adopt the same clear-eyed approach to building long-term corporate resilience.
Defining resilience
For Royston Da Costa, Assistant Group Treasurer, Ferguson, there are the four pillars of post-Covid-19 corporate resilience. The first, cybersecurity, starts with personal responsibility but expands quickly into making sure the right enterprise-wide controls, processes and personnel are in place, he explains.
Next, future-proofing should be a vital part of every significant digital agenda. It means creating a solid technological base with which to enable a continual response to the changing world. He believes Ferguson’s implementation of BELLIN’s TMS in 2015, for example, upholds just such a philosophy.
Awareness is the third pillar. Building on cybersecurity measures, being aware ensures every employee understands the risks and knows how to conduct themselves in a digital world. Ferguson has regular training programmes to ensure all are up to speed.
Finally, the remote access pillar echoes the corporate technology infrastructure where, for example, Ferguson’s cloud-based solutions are empowering staff to work remotely.
Spotting weaknesses
The fact that resilience can be defined in many ways makes it somewhat subjective, says Da Costa. From corporate to corporate, and even from function to function, acceptable criteria vary. It’s therefore important, he says, for individual treasurers to identify which aspects of their treasury need to be resilient, to what degree, and what the most appropriate response is.
The sudden onset of remote working has inevitably raised a number of issues, especially for those without cloud-based solutions, he notes. And with treasury teams using home Wi-Fi, bandwidth has been an issue for some, the frustrations that slow speeds or multiple users causes must now at least be considered for future home-based operations. Although Ferguson’s own VPN is generally used only to update software and occasionally access certain applications (which are themselves embedded with encryption), there are, he acknowledges, “no 100% guarantees”. As such, vigilance remains paramount.
One positive outcome of Covid-19 seen by Da Costa is the acceptance, finally, of secure digital signatures. The demand for wet signatures by banks was a real issue as lockdown began, with few banks outside of the US prepared to consider digital signing. “Now, they all do. And my view is that they can’t go back. It’s a game-changer”.
Of course, deploying even the best technology without secure workflows between remote and office staff will be no help at all, says Michael Juen, Chief Customer Officer, BELLIN, a Coupa company. It’s important, he advises, “to set up channels of communication and collaboration if secure and transparent processes are to be created”.
Strategic choices
Da Costa echoes this advice. In 2015, BELLIN was the first major cloud-based solution that Ferguson’s Group Treasury implemented – and internal audit and IT were necessarily involved in its selection, then played a huge part in treasury’s journey thereafter. “Getting their buy-in and sign-off has paid dividends,” states Da Costa.
He explains that audit’s involvement ensured a number of Ferguson’s internal controls could be embedded within the vendor’s platform from the outset. Audit also validated treasury’s choice of system, ensuring it met current and future security requirements.
The future resilience of treasury is a natural part of Da Costa’s strategic approach. He has developed a “roadmap” of this journey, explaining that “it’s important to plan, regardless of whether you’re talking about cybersecurity, technology or treasury functionality generally”.
Although further process automation is an obvious roadmap feature, Da Costa spells out the need for enhanced controls that will provide security within a developing infrastructure that will, in turn, support his future-view of a ‘virtual’ location-independent treasury. If anything, the demands of lockdown and homeworking have further vindicated his strategic planning approach – and vision – helping to ensure the company’s continuity and resilience for some time to come.
Review and improve
The BELLIN TMS is thus a major component of this resilient future. Its implementation presented treasury with an opportunity to review processes and insert the most appropriate controls within the system at the earliest stage.
Prior to implementation, group treasury and its subsidiaries were each working on different systems, often with manually input controls. By embedding controls on one platform for all to use, and group treasury able to automate many subsidiary administrative functions, the company moved its security and resilience score (not to mention its visibility over core treasury processes) up several notches.
Having implemented BELLIN, a Coupa company, treasury is better able to monitor improvements in controls and efficiency. The vendor’s mobile payments app makes life easier, says Da Costa, “but we still retain the controls, and we can now obtain approvals from our Group Treasurer or senior management wherever they are in the world”.
And the aforementioned digital-signing technology, used in bank authorisations, has also proved invaluable for secure and efficient internal approvals management. With all user validations and controls around confirmations being automated within BELLIN, a Coupa company, supported by multi-factor authentication, he reports “significant improvements in process efficiency and resilience and future-proofing”.
With clients such as Ferguson continually assessing the tools it needs to stay ahead of the curve, Juen says BELLIN, a Coupa company, is similarly assessing its next moves. This is not just in terms of the technology it needs to deliver, and how this should evolve in line with or even ahead of market changes, but also around planning integrations with solutions from other vendors. To do this, Juen says the company’s experts are drawing upon and sharing their vast experience in the field, and the accumulated knowledge and understanding of different client priorities that this brings.
Future goals
This is a two-way process, however. In order for treasury to move from where it is, to where it wants to be, requires a certain frankness in discussions with vendors. “Don’t be shy,” urges Da Costa. “From day one, make sure you say what you want.”
To avoid being tied up in the detail of solution discussions, he created a Statement of Work document. In consultation with in-house IT, audit and Ferguson’s subsidiaries, this laid out expectations clearly, setting the tone for the ensuing negotiations with its vendor’s customer support team. BELLIN, a Coupa company, also brought Da Costa and his team into its own user-group community, helping Ferguson better understand its own wants and needs, and giving it confidence to push the vendor on these and all future needs.
In this respect, Da Costa is already eyeing more functionality within the mobile app (deal approvals, for example), reporting enhancements, and greater use of artificial intelligence (AI) and application programming interfaces (APIs) within the platform “to help further improve the balance of process speed with security”.
Act now
With a wealth of experience to draw upon, Da Costa advises treasurers in the midst of a pandemic-infused cybersecurity review “not to panic”. Information is plentiful, he notes, citing the UK’s National Crime Agency as being a particularly useful educational resource and sounding board.
But he also says that it is important for treasurers to know precisely what they are responsible for in terms of cybersecurity, and what falls to IT. He adds that every treasurer would be well advised to develop a strong rapport with that function.
“Beyond that, I can’t state enough the need to look at your processes and identity your potential weak points,” he continues. “This requires a reasonable level of introspection and honesty; if there’s something you’re not good at, admit it. It’s only by doing that, that you can become stronger.”
Understandably, partners have a role to play during this reflective phase. Ferguson has benefitted from input delivered by BELLIN, a Coupa company, but Da Costa says getting internal partners such as IT and audit on board from the start has removed any need to repeatedly explain each new step. The process has been validated upfront for security purposes, and with IT and audit “fully engaged”, progress was considerably smoother than it might otherwise have been.
Value proposition
But what about cost? With most treasuries budget-constrained to some extent, it’s worth considering the cost of not doing anything about cybercrime and future resilience, comments Da Costa. Investment in a core system will almost certainly require a business case to be developed. But when the paymasters cannot see the advantage, the case is lost. However, the prevalence of cybercrime today sees spreadsheet-based operations taking a huge risk, with potential losses – both financial and reputational – that could far outweigh the cost of rolling out a secure cloud-based system.
A TMS vendor will be only too willing to help treasury quantify the cost-benefits of system deployment. But, says Da Costa, “having secured the buy-in of IT and audit from the outset, treasury will have the most advantageous support from stakeholders who recognise the value of having robust controls in place and of being cyber-secure”.
Of course, process speed and efficiency have considerable value in today’s changing working environment, but resilience itself is priceless.
Sign up for free to read the full article
