• Corporate treasurers: the cyber-crimestoppers?

September 2017

Treasurers manage technology-heavy infrastructure that sits outside the IT department. They feel more vulnerable than ever and while cloud-based integrated systems have delivered efficiencies, they have also created new risks, says a report from the Economist Intelligence Unit sponsored by Deutsche Bank

Why? Treasury is all about connectivity – it is a gateway into other core corporate management information systems. In other words, if administrator rights in a treasury system can be hijacked in one place, then global enterprise resource planning (ERP) systems are compromised. Once inside, it is possible to see who makes payments and how and to generate false invoices from invented suppliers to a hapless accounts payable employee and harass them into paying them. According to FBI data, between 2013 and December 2016 more than US5.3trn in more than 40,000 cases was stolen by cyber-criminals from US and international businesses.

In the latest Deutsche Bank sponsored EIU research, Third-party risks: the cyber dimension, findings reveal how a company’s IT department is “only as secure as its weakest point,” and that “many companies are not being as vigilant as required”.

Insecure third parties

The good news was that 93% of respondent companies have taken steps to improve employee access controls and confidential company information and documentation, and 96% of them confirm an in-house process to limit third-party access. However, there are still some worrying exposures. The findings of the EIU report suggest that a significant proportion of corporates are not being as vigilant as they should be when it comes to securing their treasury.

Take the risk posed by a corporate’s third-party relationships. It is well-known that hackers frequently use third parties – be those suppliers, customers, subcontractors, or even banks – as conduits into their target organisations. An insecure third party which, for example, fails to use two-factor authentication (involving two steps of identity verification, such as a PIN and a fingerprint) poses a direct threat to a corporate’s own cyber-security. And yet, the EIU report reveals that 19% of the companies surveyed do not check to see whether their suppliers use the same authentication strategy as they do.

In addition, the EIU report reveals that a third of the companies surveyed still fail to conduct external pen testing – a basic cyber-security defence mechanism in which hired hacking experts attack a company system to expose all potential external security weaknesses. Without such techniques in place, potential vulnerabilities may remain undetected – until it’s too late.

Protective measures

Managing cyber-security can be especially difficult for treasurers. It does not help that they are neither fully responsible for ensuring their departments cannot be compromised, nor are they completely in control of the systems, people and processes that lead to compromise.

The EIU report identifies a number of proactive measures which treasury departments can adopt to ensure their assets are better protected.

Assuming cyber-security is a key objective, then it needs to be defined and measured. Treasury must have its own formal security management programme, and engage regularly with its IT security team to ensure the correct framework for defining policies, procedures and controls are in place.

Basic process improvements can also make a big difference to core security. These include making cash visible, centralising system access and controlling that access through strong authentication.

Perhaps most importantly, treasurers must ensure that controls over procurement processes account for cyber-security. This means the division of responsibility between treasury and procurement regarding authentication and data protection has to be crystal clear. Treasurers should check that banking information and interfaces are secure. Finally, treasurers must ensure that payment approval rights are clear, appropriately restrictive, regularly audited, and reconciled daily to ensure irregularities can be spotted immediately.

Ongoing collaboration and recurrent findings

In 2015, the first of these EIU/Deutsche Bank reports examined the macroeconomic impact on corporate treasury departments in Financing the Fragile Economic Recovery. Weak economic growth and exchange rate volatility were posting serious risks, and treasurers admitted to being conservative in their investment and funding strategies. The need for better visibility of cash and liquidity meant that the role of new technology was gaining momentum because of its potential to control risk. In addition, corporate treasurers were seen has having an increasing important in strategy and the wider business.

Fast-forward 12 months the focus on managing risk became even more acute in 2016. Managing Risk in In Challenging Economic Times demonstrated how uncertainty about economic growth continued to keep treasurers awake at night and how their remits into risk management and capital allocation had expanded.

This latest report positions treasurers as gatekeepers quite literally to their organisations’ treasuries, imbuing them with responsibilities to not only secure processes, but educate employees as well. Earlier themes of economic uncertainty, increased regulation and large stockpiles of unused cash have resurfaced again, but this time intermingled with the need to fight increasingly sophisticated cyber-crime.

Written by the EIU on behalf of Deutsche Bank