Published: May 22, 2019
Did you know that paying a ransom to a cybercriminal, even if you do so in Bitcoin, could lead to a sanctions’ violation? That’s right, treasurers now have even more to think about – and get involved in – when it comes to cybercrime. Here, we examine the latest threats treasurers need to keep abreast of and ask industry experts what treasurers can do to ensure their systems and data remain protected.
Picture the scene: your CFO is on her way from the head office in London to an important meeting in New York. Everyone in the treasury team knows she’s travelling today. She’s just about to board her flight when treasury receives an email from her saying that an urgent payment needs to be processed before she leaves the country. She phones one of the treasury team too – just after the email has hit their inbox, but the line is bad, and she needs to switch off her phone before take-off, so she doesn’t have much time to explain. Nevertheless, the message is clear: the payment needs to be made now.
Of course, you guessed it, in actual fact, the email wasn’t coming from the CFO. It was a cybercriminal sending an email from her address – having compromised the company’s systems several months previously. With access to all of the CFO’s emails and her calendar, the fraudster had learnt how to communicate just like her and knew precisely when she was going to be getting on a plane to New York (the only true part of this whole scenario). No, the phone call wasn’t from her either; it was the fraudster spoofing her number, calling with a supposedly poor connection to help disguise their voice.
This is an increasingly common type of attack, known as CFO fraud, and one that is often successful. Many treasury departments have actioned payments in similar scenarios. In fact, statistics suggest that up to 90% of CFO fraud attacks are successful, due to their being so niche and so well researched. CFO fraud also often involves multiple types of cyber-attack – starting with a spear phishing email that embeds malware onto a device (like the CFO’s computer), then business email compromise and social engineering techniques, ultimately ending up in a payment fraud.
Yes, some treasuries have spotted the ruse – and either caught the CFO fraudster out at the start, or questioned the payment before it was sent out, stopping the attack part way down the line. But the fraudsters are becoming more and more sophisticated, and playing a very long game – waiting patiently for months to find the right moment to strike. The longer they wait, the more information they gather that helps them to launch an extremely convincing attack.
As Raj Shenoy, Global Head, Digital Security, Treasury and Trade Solutions, Citi, explains: “Targeted and well-researched victims are part of the modus operandi, where bad actors are looking for large returns and are willing to be persistent with a long-term outlook to exploit targets in positions of authority.” The CFO and treasurer both fall under this umbrella – and cybercriminals are becoming increasingly aware of the lucrative potential of treasury as a target. Not only do treasurers have the ability to move large amounts of cash very quickly, they are also sitting on a goldmine of data. What’s more, as treasury has grown in strategic importance, cybercriminals are finding it easier to research treasury targets. (But don’t worry, we will explore tactics for staying cyber secure later in this article).
Treasury trends impacting cybersecuritySebastian Kästner, Group Treasurer, iSi Group, Austria, and a board member of the Austrian Corporate Treasury Association, highlights two developments in treasury that must be taken into account when reviewing cybersecurity: 1. Instant payments. A current major concern for many treasurers is the increasing adoption of instant payments. The risk is heightened in the sense that it will become almost impossible to stop an ongoing payment, as the payment service provider has less than ten seconds to stop it. As a result, corporates will have to improve their checks before a payment is transferred. With faster payments and the increased amount of data and connected devices, payment service providers will have to improve their fraud and money-laundering recognition as well as sanctions list searches using automated advanced detection filters, such as artificial intelligence methods. However, the responses from the corporates advising these payments are still slow. Thus, faster reaction times will also be key in these areas. 2. The rise of mobile and cloud solutions. There is definitely a trend to move data and processes to mobile devices and the cloud. This does, and will, affect the treasury landscape and thus presents new cyber risks. Data encryption and the careful and restricted use of activated wireless connection technologies are key to ensuring protection. |
Although CFO fraud is one of the more common cyber threats faced by treasurers, according to Jan Dirk van Beusekom, Head of Strategic Engagement, BNP Paribas Cash Management & Trade Solutions, other types of attack frequently faced by treasury teams include “ransomware installed via phishing, and payment fraud via a ‘false’ IBAN”.
Ransomware does indeed appear to be a growing concern in the corporate space. “We have seen a spike in ransomware across geographies and industries,” confirms Shenoy. Ransomware is essentially malware that encrypts data, holding it ransom, so that users cannot access it. Whole systems can be held hostage too, including the ERP.
Systems that control industrial machinery can also be held hostage, as we have seen with the emergence of the LockerGoga ransomware – which has caused at least USD$40m damage (in revenue and recovery costs) at Norsk Hydro so far this year, with the attack shutting down most of the company’s production for a week. In a nutshell, LockerGoga works by changing user passwords and logging out network connections before encrypting all of the files on the target system. Payment in Bitcoin is then demanded by the cybercriminals.
It’s well known that more and more organisations are discreetly paying ransoms in order to get access to their data and systems back. And it’s understandable why – statistics from cybersecurity company Coveware illustrate that in Q1 2019, the average ransom organisations paid per incident was just USD$12,762. For most corporations, this is a drop in the ocean, and may seem like a price worth paying.
On the flip side, there is no guarantee that the attackers will decrypt your files, or that they will do it in a timely fashion. Paying a ransom may also make your organisation more likely to be subject to ransomware attacks in the future, as the company’s name is added to the Dark Net as a potential soft target. Furthermore, treasurers should be aware that paying a ransom could actually result in sanctions violations – and fines that far exceed the monetary value of the ransom.
In November 2018, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) publicly attributed cryptocurrency addresses to individuals who were involved in converting ransomware cryptocurrency payments to fiat currency. These known individuals are now being added to sanctions lists, and any company found to have paid a ransom to them could be subject to secondary sanctions. According to an official announcement from OFAC, “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”
It comes as little surprise, then, that companies are focusing on having good cyber defences in place, and proper back-ups, as a means to overcome ransomware without giving in to the criminals. Training (more on this later) plays a key role in the defence against ransomware, since, as van Beusekom noted, the majority of such attacks result from a phishing campaign – whereby a user clicks on a link or downloads an attachment that then installs the malware.
However, non-click ransomware variants are emerging, such as Sodinokibi, which is designed to encrypt files and delete back-ups in an effort to prevent victims from recovering their files without paying a ransom. Sodinokibi, which first emerged in mid-April 2019, exploits a critical zero-day vulnerability in the widely used Oracle WebLogic Server and caused the targeted server to download a copy of the ransomware from attacker-controlled IP addresses – with no interaction necessary.
The Oracle WebLogic software is widely used in cloud environments, leading to a number of such attacks. A security patch has since been issued, highlighting the need to update software to the latest version as soon as it is released (again, we will cover this in the best practices section later).
Of course, much of this is not actually the treasurer’s responsibility. As Royston Da Costa, Assistant Group Treasurer, Ferguson, notes: “Large-scale attacks against the company’s infrastructure using DDoS (Distributed Denial of Service) and ransomware are the responsibility of the IT department.” Nevertheless, “it is important for treasurers to be ‘aware’ of specific scams targeting treasury”. And leveraging this awareness, he says that “treasurers should focus on their policy and processes to ensure that these are regularly reviewed and updated to ensure they are robust and compliant”.
One type of threat that strict policies and procedures should certainly help to limit are the ‘false IBAN’ attacks that van Beusekom mentioned. These typically involve cybercriminals posing as suppliers and changing bank account details – also known as supplier fraud. The changes to bank account details may come via email or in the post (or over the phone – but that is unlikely to be an acceptable method for many companies any more). They will also often involve changes to other critical supplier data, such as the telephone number for the point of contact at the supplier. This way, when treasury calls the supplier to check the new bank details, they are actually calling the cybercriminal, not the supplier.
As such, it is imperative to have procedures in place that require triple-checking of any changes to supplier bank account details. This would entail making a phone call to a named contact at the company, using a telephone number from the supplier master data file or main company website, not from any recent correspondence. There should also be procedures in place to flag multiple changes to supplier data within a certain timeframe. So, changing the phone number on file a few weeks before changing the bank account details should be cause for alarm.
In addition to supplier fraud and the aforementioned CFO fraud and ransomware, Da Costa highlights the following threats to be aware of – and critically, not all of them are entirely cyber-based, or come from outside the company:
Worth also noting, says van Beusekom, is the rise of “blackmail and sending personal threats to home addresses” as cyberthreats continue to evolve. The above is by no means an exhaustive list, but it is a good place to start. And as Citi’s Shenoy notes: “Understanding the sources of threats is the first step to mitigating security breaches.”
But what else can treasurers realistically do to stay safe, without stepping on the toes of IT, and without significant budget?
The following checklist draws on advice from industry practitioners and is designed to provide food for thought, rather than being a robust plan covering people, processes and technology (see box 1 for more information).
Box 1 - Protect, Detect, RespondAccording to Shenoy, there are three key steps in developing a strategic defence plan for your organisation – and for treasury. “The first step is to ensure your organisation is protected; the second is to ensure that should a fraud or cyber-attack attempt occur, your organisation can quickly detect this, and the third step is to ensure your organisation has a plan in place to respond quickly and appropriately if a fraud or cyber-attack occurs. In devising a strategic defence, it is necessary to look at three aspects of the organisation: people, processes and technology,” he notes (see Fig 1 for a succinct summary of actions in each of these buckets).  |
1. Check your systems’ infrastructure is protected.
It is important to review how your treasury infrastructure – from servers to leased lines – is physically protected against tampering. For example, check whether machines with access to the treasury infrastructure have unused USB/external ports. If so, are they blocked to prevent someone installing malware? Conducting penetration testing is also critical. But infrastructure checks and tests “should only be undertaken with IT support (internal and or external),” cautions Da Costa. “Internal Audit should also be consulted,” he says. Meanwhile, Andy Bates, Executive Director of the United Kingdom, Europe, Middle East and Africa, Global Cyber Alliance, suggests not being afraid of asking your IT/security team “some difficult questions to keep them on their toes. ‘Have you implemented DMARC?’ is my favourite.” For those not familiar with DMARC, it was developed as a collaborative effort to fight phishing and other dangerous email scams, but it is worth an internet search for more information.
2. Assess your external partnerships closely.
This means every partner from banks to system vendors, cloud storage providers, suppliers and buyers. “It is vital that aside from the regular review of the relationship, one should also ensure that external partnerships are complying with the industry standard requirements for SOC 1/SOC 2 certification. In addition, any third-party suppliers your partners engage with to provide you with that service must also be compliant,” says Da Costa. Also, if third-party vendors have access to your network, it is vital to verify that their cybersecurity controls and incident response plans are appropriate for the services they provide and the access they have.
3. Improve internal controls.
“This is the most critical area that treasurers must be comfortable is robust and secure,” notes Da Costa. Each treasury will have different requirements, but common controls include segregation of duties, restricted payee lists, and two-factor authentication. Ensure all of these controls are documented within the treasury policy and that this is regularly reviewed, updated and shared.
4. Monitor and manage.
As the adage goes, “you cannot manage what you do not measure.” As such, centralised monitoring of flows is critical to help prevent cybercrime. Consider how to monitor payment flows and privileged-user actions to identify any unusual behaviour. Treasurers may wish to leverage advancements in technology, such as machine learning and artificial intelligence to help identify anomalies where possible. Some banks are now offering these kinds of detection tools for their corporate customers. Also, Bates sounds a cautionary note about over-monitoring: “Monitoring is important, but we find that two or three basic things stop 70% of the issues. Many people turn on monitoring and see too many things to look at. If your radar screen is full of dots, there is no point having a radar.”
5. Plan your incident response.
Every treasury department should have a concrete plan of response actions for each potential cyber-attack scenario. This should cover everything from who to call upon discovery of the attack right through to remedial action steps and re-establishment of ‘business as usual’. The plan needs to cover everyone within the treasury department, and relevant individuals/functions elsewhere in the organisation, as well as banks and vendors. It is important to regularly test the incident response plan to check that it is up-to-date – and will actually work! See Fig 1 for more detail on building an effective response plan.
6. Have sound back-ups in place.
As well as an incident response plan, “There should be a back-up plan if the corporate infrastructure (including the ERP system) is compromised or unavailable,” says Shenoy. “We recommend maintaining online and mobile banking connectivity accounts along with testing those for cyber contingency situations.” This kind of back-up is typically for an extreme scenario, however. As Kästner explains, “Although it might, in theory, be possible to route payments in these cases through the e-banking systems, in practice this workaround would be highly manual and thus prone to error and far too much to handle without the support of the ERP. Best practice is to have a business continuity plan to permit ongoing operations in case of emergency. This is already common in the financial services industry and is being enforced by local laws such as the Sarbanes-Oxley Act in the US, the Civil Contingencies Act in the UK or the KonTraG in Germany. Disaster recovery and continuity plans have become the norm for corporate IT departments, however business continuity plans are still lacking in far in too many cases.”
7. Promote training and communication.
As Shenoy notes: “In many instances, employees are not aware of the red flags to look out for, or what they should do if they suspect an attempted fraud. Ensuring that there is an effective staff training programme in place and that all employees share in the responsibility of protecting against a cyber-attack is important.” Kästner agrees that “An easy way to improve cyber-security is to improve communication and training on the subject. This is especially so internally, such as within the IT department, but also those with shared interfaces, such as accounting and controlling.” There is a risk of training fatigue, however, so Da Costa recommends keeping training sessions and tools as innovative as possible.
8. Consider cyber insurance.
This is not for everyone and there are varying views among industry practitioners as to how effective cyber insurance is. Van Beusekom comments: “Cyber-security insurance is an emerging market and currently an option, not a must-have.” But it could be right for some organisations, and treasurers are becoming more interested in its potential. Says Kästner: “We see that this type of security is increasingly being offered, often in collaboration with banks, but it is still not that common here in Europe, unlike in the US. Besides the mitigation of financial damages, one additional benefit of these insurances is expert assistance in case of emergency. Taking out cyber insurance should be seen in the same light as taking out buildings’ insurance. Inadequate coverage could affect a company’s operations and even its survival. Once suitable products are available here in Europe, we should consider them as must-haves.” It is worth being aware, though, that insurers are increasingly finding ways to wriggle out of paying cyber claims, especially relating to ransomware, with insurers citing these attacks as ‘acts of war’. Bates also cautions against over-reliance on cyber insurance as it can “make people feel too safe. You have fire insurance, but you still have fire extinguishers. So don’t just stop at buying cyber insurance – and always check the small print”.
9. Share information among your peers and industry experts.
Treasurers should ask other treasurers what procedures they have in place and seek to share experiences, believes Kästner. “Progress on sharing information between treasurers has been slow and there is little information available publicly regarding cyber risk and how to guard against it. This lack of information makes it hard to define key risks and controls and to calculate insurance premiums,” he says. Similarly, van Beusekom comments: “My best advice to treasurers would be to encourage them to share their knowledge and experiences. They should become part of relevant communities, such as the cyber resilience community of the European Association of Corporate Treasurers.”
| Fig 1 - Plan, Test, Recover |
As well as best practices, it is also important to consider – and hopefully avoid – worst practices. Here are some tips from our experts:
1. Don’t get complacent.
“Despite the fact that we are all well aware of them and believe we wouldn’t fall prey to such scams, instances of supplier and ‘fake president’ fraud are still extremely common,” says Kästner. It pays to always be vigilant, and not think you are smarter than the cybercriminals.
2. Don’t underestimate the potential for human error.
“Interfaces, both human-computer and pure data interfaces, are usually the weakest links. The software systems – being in accounting, controlling, treasury – are usually well secured. It is the in- and outflows of commands that are risky. Humans are by nature prone to making mistakes and the transfer of data between software systems is often not as secure as one might think,” notes Kästner.
3. Don’t believe the enemy is always an outsider.
“Experience has proved this is not always the case,” Kästner cautions. The cybercriminal could be internal, or the fraudsters may be leveraging internal links.
4. Don’t assume any network is safe.
Ofer Israeli, co-founder and CEO of Illusive Networks, a deception-based cyber-security firm with offices in New York City and Tel Aviv, Israel, says that, “Besides being concerned about their own companies’ assets, treasurers also need to be watchful for attacks on the financial system as a whole.” This includes attacks on large infrastructures, such as central banks, and messaging networks.
5. Don’t be afraid to speak up.
It is always better to question something that looks suspicious than to leave it and hope for the best. Building a speak-up culture within treasury can therefore be a powerful fraud prevention tool, and assist in early detection of cyber threats.
As we have seen, there are so many types of potential cyber threat and so many different avenues for these threats, that treasury cannot act alone in the fight against cybercrime. Conversely, though, treasury can no longer be a silent partner in the fight against cybercriminals either.
Close collaboration between treasury and IT is critical in ensuring robust cyber-security. And within this partnership, the treasurer’s role is clear: “Have well-thought-out and defined policies and procedures in place, do not violate them, be suspicious and always talk to others if anything looks unusual,” concludes Kästner.
Back in Copenhagen again, this year’s EuroFinance International saw a record 2,200 delegates come together to discuss some of the hottest treasury themes of the moment – from digital treasury transformation to real-time payments and sustainability. Industry experts share their highlights from the event, together with tips on how to de-stress treasury and build resilient […]
Remote working, and greater reliance on technology, is leading to a rapid increase in cyber-attacks and fraud attempts. Royston Da Costa, Assistant Group Treasurer, Ferguson, and Michael Juen, Chief Customer Officer, BELLIN, a Coupa company, explain how treasurers can build greater resilience against these threats – and weigh up the costs of investing in cybersecurity […]
Treasury organisations and finance shared service centres in Central & Eastern Europe are changing – robots are taking over many of the manual tasks once performed by humans. At the same time, Big Data and predictive analytics are becoming more commonplace. But is treasury at risk of being sidelined in the rush to digitise corporate […]
As businesses across Europe accelerate their digital transformations, savvy corporate treasurers have a unique opportunity to secure enriched data insights, says Daniela Eder, Head of Payments & Cash Management Europe, Barclays. In turn, this could enable treasury functions to become fitter, both operationally and financially, assuming technology budgets are deployed strategically and cybersecurity is prioritised. […]
