Treasury departments falling short on cybersecurity

Treasurers’ authentication and data-security methods are lagging behind evolving cybersecurity threats, finds survey

Corporate treasury departments are failing to implement comprehensive security measures in the face of mounting cybercrime, according to a new report from Deutsche Bank and the Economist Intelligence Unit (EIU).

Published on 4 October, the report – Third-Party Risks: The Cyber Dimension – is based upon a survey of 300 senior treasurers from around the world, plus a series of in-depth interviews with a selection of those respondents.

It notes: “Treasury’s trove of personal and corporate data, its authority to make payments and move large amounts of cash quickly, and its often complicated structure make it an appealing choice for discerning fraudsters.

“These sophisticated cybercriminals use social engineering and inside information gleaned from lengthy reconnaissance within a given company’s systems to execute high-value thefts.”

However, the report reveals, despite those risks:

• 18% of individual treasurers say that only a minority of their clients and suppliers follow the same, or similar, regulatory and compliance rules to them;
• 19% of companies that took part in the survey do not check whether their suppliers use the same methods for authenticating identities as they do, leaving an open door for fraud;
• at present, 14% of firms do not insist that the information-security requirements they apply to their third parties must also be extended to subcontractors – a shortcoming that provides cybercriminals with another opportunity for data theft;
• while 92% of companies perform internal penetration testing, 33% do not currently conduct it externally, leaving a concerning gap ripe for exploitation; and
• only 38% of companies require all of their third parties and suppliers to perform penetration testing.

Industries with the lowest percentages of authentication testing are:

1. Manufacturing (43%);
2. Agriculture and agribusiness (38%);
3. Energy and natural resources (32%);
4. Construction and real estate (31%); and
5. Professional services (25%).

“If cybersecurity is an objective,” the report points out, “then it needs to be defined and measured. Treasury must have its own security management programme, preferably developed in tandem with the company’s overall cybersecurity strategy.”

In Deutsche Bank and the EIU’s view, any programme of this type should recognise that there are at least five sets of people and processes that interact with treasury, which could potentially introduce insecurity:

1. corporate treasury, vendor and employee-payment teams;
2. banks that process the payments and provide electronic banking platforms;
3. SWIFT bureaus that may provide bank-connectivity solutions;
4. BACS and other automated clearing-house bureaus and third parties that may provide payment solutions; and
5. credit card processing providers.

“Cybersecurity requires a change of culture,” the report explains. “Companies are designed to compete with each other for customers and profits. In general, neither they nor their staff are equipped to defend themselves against hostile, criminal attackers intent on intrusion, deception and theft.

“Knowing about and recognising the telltale signs of fraud is one thing, but maintaining the correct level of scrutiny of people and processes can lead to the perception of a Big Brother environment.”

The report notes: “A balance has to be struck between a level of monitoring that interferes significantly with the day-to-day running of the department and an overly lax security environment that invites cybercriminals.

“Treasury is a target. It’s time for treasurers to step up to the challenge.”