The Corporate View: Tackling the Cybersecurity Threat
Security and fraud prevention have always been vital corporate responsibilities, and central to treasury’s remit. However, the immediacy of these risks, and the potential damage, is growing. As Peter Atuma, Senior Manager, Global Information Security – Governance at Equinix illustrates:
“Defending the organisation against cyberattack is a top priority for us. The nature of cybercrime is constantly changing and every area of the business has a responsibility to protect the organisation and our customers. Ultimately, cybersecurity impacts the business in two primary ways: firstly, the impact on our bottom line, and secondly, the reputational impact. As the global interconnection platform for the world’s leading businesses, the issue of reputational risk is paramount.”
Although cybersecurity is top of mind for corporate treasurers, it is not always easy to know where to start. In this feature, leading corporations Equinix and Prologis, together with Siva Ram, Head of Business Security and Fraud, Global Liquidity and Cash Management, HSBC, share their experiences of best practices in cybersecurity and fraud prevention.
From response to prevention
In many cases, there is a tendency to focus on how best to respond to an attack as opposed to try and prevent it happening in the first place, which often involves deploying existing capabilities. Siva Ram, HSBC, details,
Fig 1 - Treasurers’ defence against cyber crime
Source: 2017 AFP Payments Fraud and Control Survey
“Treasurers already have a variety of techniques in their armoury (figure 1) to minimise the risk of internal and external fraud, including multi-level approvals, secure integration between internal and bank systems, and daily account reconciliation to avoid or quickly identify unauthorised payments.”
By way of example, Regina Ochev, Assistant Treasurer, Prologis says,
“We have rigorous segregation of duties and a structured accounts payable process with multiple levels of approval on payments before they reach treasury, and then before transmission to the bank. In addition to regular user IDs and passwords, we have implemented multi-factor authentication wherever possible, including in our ERP, to control system access. This is an important way of preventing phishing attacks which monitor keystrokes.
“We channel our bank communications via SWIFT, which is closely integrated with our ERP. This ensures consistent processes, controls and integration compared with using multiple banking systems.”
Processes around ancillary data also need to be secured, such as bank accounts (including opening, closing and modifying authorities) and supplier payment details to guard against attacks such as fake supplier instructions. Processes and controls need to be consistent, reviewed and tested regularly and enforced uniformly across the organisation. As Duang Wollring, European Treasurer, Equinix describes,
“From a treasury perspective, we take an end-to-end approach, identifying every process and task that could create a vulnerability, and explore how we can bolster our defences. For example, we work with our internal and external partners to ensure that every step in the payments process is encrypted. While we have not experienced a breach due to inadequate encryption, it is essential to be a step ahead of the fraudsters, rather than waiting for something to happen.”