Why? Treasury is all about connectivity – it is a gateway into other core corporate management information systems. In other words, if administrator rights in a treasury system can be hijacked in one place, then global enterprise resource planning (ERP) systems are compromised. Once inside, it is possible to see who makes payments and how and to generate false invoices from invented suppliers to a hapless accounts payable employee and harass them into paying them. According to FBI data, between 2013 and December 2016 more than US5.3trn in more than 40,000 cases was stolen by cyber-criminals from US and international businesses.

In the latest Deutsche Bank sponsored EIU research, Third-party risks: the cyber dimension, findings reveal how a company’s IT department is “only as secure as its weakest point,” and that “many companies are not being as vigilant as required”.

The good news was that 93% of respondent companies have taken steps to improve employee access controls and confidential company information and documentation, and 96% of them confirm an in-house process to limit third-party access. However, there are still some worrying exposures. The findings of the EIU report suggest that a significant proportion of corporates are not being as vigilant as they should be when it comes to securing their treasury.

Take the risk posed by a corporate’s third-party relationships. It is well-known that hackers frequently use third parties – be those suppliers, customers, subcontractors, or even banks – as conduits into their target organisations. An insecure third party which, for example, fails to use two-factor authentication (involving two steps of identity verification, such as a PIN and a fingerprint) poses a direct threat to a corporate’s own cyber-security. And yet, the EIU report reveals that 19% of the companies surveyed do not check to see whether their suppliers use the same authentication strategy as they do.

In addition, the EIU report reveals that a third of the companies surveyed still fail to conduct external pen testing – a basic cyber-security defence mechanism in which hired hacking experts attack a company system to expose all potential external security weaknesses. Without such techniques in place, potential vulnerabilities may remain undetected – until it’s too late.

Managing cyber-security can be especially difficult for treasurers. It does not help that they are neither fully responsible for ensuring their departments cannot be compromised, nor are they completely in control of the systems, people and processes that lead to compromise.

The EIU report identifies a number of proactive measures which treasury departments can adopt to ensure their assets are better protected.

Assuming cyber-security is a key objective, then it needs to be defined and measured. Treasury must have its own formal security management programme, and engage regularly with its IT security team to ensure the correct framework for defining policies, procedures and controls are in place.

Basic process improvements can also make a big difference to core security. These include making cash visible, centralising system access and controlling that access through strong authentication.

Perhaps most importantly, treasurers must ensure that controls over procurement processes account for cyber-security. This means the division of responsibility between treasury and procurement regarding authentication and data protection has to be crystal clear. Treasurers should check that banking information and interfaces are secure. Finally, treasurers must ensure that payment approval rights are clear, appropriately restrictive, regularly audited, and reconciled daily to ensure irregularities can be spotted immediately.