The threat of cyber attacks is a fact of life for organisations around the globe – and for their treasury teams. So, what role can the treasurer play in protecting the company from the risk of cyber attacks? And which risks should treasurers be most aware of?
“The types of risks that treasurers should be most concerned with include impersonation risks, such as business email compromises,” says Tari Schreider, a strategic adviser at Datos Insights who focuses on cybersecurity technologies and practices. With the arrival of artificial intelligence and deepfakes, he argues that impersonation fraud will become easier to perpetrate.
While scams based on facial recognition are not yet a major threat, he says that synthesised voice threats are becoming a more significant concern: “I think that the more sophisticated hacker groups will eventually find that treasury departments can be low-hanging fruit with some of the new AI technologies out there.”
For companies in which the treasury team is closely involved with supply chain activities, risks around supply chain vendors and payments may also be a concern. And as Schreider notes, risks can also arise when treasuries use their own technology platforms and vendors which are not covered under current IT security policies and procedures.
“Generally speaking, individuals within companies today are all individually responsible for being diligent and cautious, and ensuring they are not opening themselves or their company to the usual attacks through phishing emails,” says Royston Da Costa, assistant treasurer at Ferguson. “Then looking at treasury specifically, I feel very strongly that treasury really has to consider itself as being a partner with IT in this respect.”
Treasury departments can be low-hanging fruit with some of the new AI technologies out there
In the past, IT has always been a major stakeholder for treasury at Ferguson, “but they’ve tended to get involved more when there’s a project to implement a treasury management solution or other application. Generally, they wouldn’t have been seen as a day-to-day partner.” With the cyber threat continuing to evolve and grow, Da Costa believes it is now increasingly important to have regular contact with IT, “as I do with our CISO”.
At the same time, he argues it is important to understand responsibilities of different parts of the organisation when it comes to managing the risk of cyber attacks. “If you visualise it as a diagram, on the left you’ve got IT who are the gatekeepers of all that comes into our domain – our website, our network – and what goes out,” says Da Costa. “Then you’ve got treasury in the middle – we are responsible for making sure our processes are robust, and ensuring we don’t fall prone to any kind of phishing attack, or click on links that could open up the company to a potential scam.
“On the right, you’ve got external vendors that we interact with, including banks. Of course, we have to make sure we have the right level of controls to match that. But these vendors and banks also need to ensure they are compliant, and that they are good citizens in terms of their security and how they manage that.”
To keep the treasury team aware of the latest threats, Da Costa says the company provides regular training created by HR. In addition, the IT department sends test emails, “not to catch people out, but to remind them how important it is not to click on that link without checking first”.
Nevertheless, while he stays abreast with details of the latest threats via communications from banks, from the IT department and from industry journals, Da Costa says that proactively researching new and emerging threats is not a major focus: “Our procedures – and also for that matter our policy – is what should help us safeguard and protect our activities.”
While cyber risk is a concern for all companies, some industries face a more significant level of threat than others. Joe Peka, deputy treasurer at URENCO Group, which supplies enrichment services and fuel cycle products for the civil nuclear industry, says that cyber crime “is a constant risk and is relevant to everything that we do”.
The company has complex systems and networks, and is heavily reliant on those systems operating effectively when it comes to protecting cash, as well as the confidentiality of business and operations. “This is especially of concern because of the industry that we work in and the potential targeting by foreign bodies, as well as the normal criminal networks,” he notes.
As such, Peka says the treasury team plays its part in supporting its security specialists and designing and implementing technologies that are as robust as possible. He notes that the human dimension should always be considered: “We need to ensure that our staff are trained to recognise threats such as whaling (CEO impersonation scams).” The treasury team also ensures that processes and procedures are well understood and as consistent as possible across the group. Shortcuts in controls procedures by any individual, however senior, are not supported.
“We run tests that ensure we are all vigilant to these types of threats,” Peka adds. “Training is key and that includes not bringing hardware that has not been provided by our own internal teams into our environment.” Physical access to sites is also managed closely, with all staff subject to security clearance. Last but not least, he highlights the importance of having contingency plans in place, “so that in the worst-case scenario we can continue to operate until the threat is removed”.
What else could treasury teams be doing to protect their organisations? According to Steve Wiley, VP treasury solutions at technology firm FIS, “the most important areas of focus relate to ensuring treasury technology is used from reputable providers with strong security measures, and that treasury technology is up to date”.
In addition, he notes the importance of preventative and detective payment controls, process controls such as dual approval, and “a strong, automated audit system which can automatically alert treasury leadership to abnormal transactional activity”.
Cyber crime is a constant risk and is relevant to everything that we do
Where resourcing is concerned, Datos Insights’ Schreider argues that the treasury department should have its own business information security officer: “They need to have someone within their department that at least has a dotted line into the overall information security programme. I don’t often see that – and obviously the size of the treasury department is a factor – but it’s worth looking at.”
Narrative risk intelligence is one emerging area that may be worth looking at for treasurers. Schreider explains that this is relatively new technology that can be used to monitor the markets for attacks based on misinformation and disinformation.
Beyond that, Schreider recommends that treasurers should focus on being the owners of risk, “and understand the risk that’s unique to their department”. While risks around technologies and malware can be left to the IT security department, he concludes, “treasurers also need to make sure that from an attack surface perspective, all their assets are accounted for, and they’re not sitting outside the purview of their corporation security practices and policies”.
Rebecca Brace is a freelance business and technology journalist
This article was taken from Issue 4, 2023 of The Treasurer magazine. For more great insights, members can log in to view the full issue.
Read the newly published Cyber Security in Corporate Finance Guide 2024, a collaboration between the ACT and ICAEW.
