Published: September 01, 2018
Today's treasury infrastructure is changing and, with it, the associated risks of data loss or fraud have multiplied. Within the security community, it is often said that it is not a matter of ‘if’ but ‘when’ you are going to be affected by a security breach. Treasurers need to ensure that controls are in place to protect the corporate assets and, as such, should take a lead role in protecting the company from cyber threats. Securing your company is not a one-time exercise; it is a journey that needs to be reviewed regularly and adapted to new threats.
It is unlikely that treasurers have the expertise to protect the company on their own. Therefore, it is best to create a cross-business team with technology, information security and internal audit to jointly protect the firm. Working together and utilising collective expertise, the team can audit risky processes, run security penetration tests, and then jointly assess the levels of risk to the organisation before determining an action plan.
In addition, this is not something that only the leadership team needs to be aware of. To best prepare the organisation, the employees need to be aware of the latest fraud attack vectors and techniques, and receive proper training on how to successfully identify, prevent and respond to attacks. This training must be provided regularly, so as to keep pace with the constant evolution of the cybercrime landscape. It is a good idea to test the effectiveness of the training through internal mock phishing exercises to ensure the employees follow the proper policies and procedures.
There can be numerous entry points into a company’s infrastructure. For some, all it takes is an employee plugging in a USB stick they found on their way to work, or an unintentional click on a website (even legitimate ones) to open the infrastructure up to risk. It’s a good idea to review these potential entry points with your technology team to understand what controls you have in place. The following topics provide a good starting point for these discussions:
You need to protect the information not only whilst it is within your environment but also when it leaves your estate. To do this, the key is to instigate encrypted channels and protocols throughout the information flow. There are a number of weak points to consider:
When considering regular penetration tests, you should think not only about your treasury infrastructure but also that of supporting systems and your external service providers.
Manual interactions within most systems are inevitable. When they do arise, the key is to ensure there are the appropriate levels of control around them. Utilising features such as user profiles, workflow limits and four-eyes approvals help. However, for controls to be effective, you also need to ensure users have just enough latitude to complete their jobs. When determining where controls are required within the workflow you should think creatively. For example, whilst the payment details obviously require a high degree of control, what about suppliers’ phone details? If someone first modified a supplier’s phone number and then changed the invoice details, would you call a number that you know and trust to check if the supplier’s details are correct?
Your banking partners may have a number of controls that can be deployed to further help you. The usefulness will depend on you integrating them. Below are the most common tools:
Once you have implemented a tight control framework, you should consider how you monitor the payment flow, privileged user actions and network traffic to identify any unusual behaviour. The first step is to have a centralised role completing the monitoring. In doing so it helps build up expertise, in order to enable more effective vigilance and the creation of more useful controls. Advancements in technology, with respect to machine learning and artificial intelligence, are making this activity less resource-intensive and thereby accessible to more companies. When deployed to monitor network and server logs, you can detect threats before your antivirus is even aware of their existence. Additionally, when deployed to monitor users with privileged access, you can track unusual activity preventing account compromise and insider threats.
Speed and precision are required to prevent an incident becoming a disaster. You should make sure the relevant actions are defined for each scenario, from the discovery until conclusion and review, as well as ensuring that everybody involved in each action knows their role within the process (compliance, audit, security, treasury, IT, banks, legal, corporate communications etc.). It is recommended that you regularly test the process to confirm the validity.
In some cases, these practices may seem daunting at first to the uninitiated. Nonetheless, with the rising level of threats, it is paramount that attention is given to ensuring the firm’s assets remain protected. A useful starting point would be to create a cross-business working group to consider your firm’s potential vulnerabilities. Once you have a list, you can ensure management are aware and then prioritise the remediating actions.
| Anne Catherine Sailley Manager, Treasury EMEA, Steelcase Anne Catherine Sailley started her career with KMPG Audit as an auditor. Then she joined Steelcase, 18 years ago, to create the internal Audit department in EMEA. Following this audit experience she became a member of the Steelcase finance team responsible for consolidation, control, industrial reporting and analysis. For the last eight years, she has been working in the Treasury department where she currently takes the treasury lead in designing the banking structure to support more centralised payments, to drive the design of ongoing control structure around payment processes and to implement a treasury management system around the globe. |
| James Henderson Director, Head of Specialist FX Products, Barclays Corporate Banking James Henderson has spent the last seven years working within Barclays’ Foreign Exchange team, focused on improving the automation and risk mitigation of FX processes. James’s current role is as Director, Head of Specialist FX Products, with responsibility for looking at how technology can be used to help improve the effectiveness of clients’ business processes. As a Fellow of the Association of Corporate Treasurers, James joined the EACT Cyber Security working group in 2017. |
It’s been a hot topic for almost every treasurer over the past year, but – hype aside – what is the true value of artificial intelligence (AI) within treasury? Nikolai Diekert, Director Product Management at leading TMS provider BELLIN, explores the concrete use cases for AI in treasury, providing a candid view on where the […]
Since the first APIs started appearing in the bank-to-treasury space a few years ago, driven in part by the open banking revolution, there has been much talk of their transformational power. We consider the reality behind the claim, exploring the possibilities and the limitations. The promise of system flexibility, agility, and scalability is a potent […]
As businesses across Europe accelerate their digital transformations, savvy corporate treasurers have a unique opportunity to secure enriched data insights, says Daniela Eder, Head of Payments & Cash Management Europe, Barclays. In turn, this could enable treasury functions to become fitter, both operationally and financially, assuming technology budgets are deployed strategically and cybersecurity is prioritised. […]
Global digital transformation has kickstarted the Fourth Industrial Revolution, also known as Industry 4.0. For corporate treasurers, this represents a complete shift in approach to treasury processes, technology and, most importantly, talent. Alan DuffyCEO, HSBC Ireland HSBC’s recent Global Liquidity and Cash Management Forum, held in Dublin, Ireland, highlighted the technological advances that are revolutionising […]
