We live in a world where information is circulated continuously, across various territories, without ever stopping or slowing down. In the corporate world, data is highly sensitive and growing all the time – plus, cloud and mobility are becoming ever more prevalent.
That has produced a strong need for tight data-security controls and related compliance measures, particularly in the fields of company and customer data.
Corporate treasury is the nerve centre of any organisation’s finance operations. Its reliance on IT for risk operations, real-time cash visibility and analytics is critical for timely business decisions. As treasurers are on the front line of operations, and at the centre of the banking and payments world, their need to protect assets is especially pressing.
Data security and compliance are key considerations for treasurers and CFOs in every aspect of corporate systems and applications. While IT departments and security functions aid a business in its efforts to evaluate and mitigate risks, they cannot take on those burdens alone.
As such, the treasurer’s role has elevated to an active part of the security decision-making process. Treasurers, together with CFOs, must work to encourage board-level awareness, while supporting and empowering the risk committee to research and implement necessary protocols. Treasurers must not lose focus on these matters, and must remember that theft of data can be just as damaging as theft of cash.
In addition to risk being a crucial factor to manage when it comes to the role of the treasurer, compliance also plays a huge part. To remain compliant, treasury departments must tighten their controls and align with industry regulations. If controls are inadequate, greater risks can arise and the possibility of fraudulent activity increases.
Since they have access to the cash flow behind their firms’ operations and hold the keys to crucial bank accounts, treasury departments are becoming favoured targets for cybercriminals.
So, how are cybercriminals targeting – and successfully extracting – funds transferred from corporations? Simply put: spear phishing attacks, which focus on a single user or department within an organisation, are addressed to appear from someone within the company in a position of trust, requesting information and thereby prompting insecure acts.
In the most common variation, cybercriminals are sending emails to employees in the treasury department that appear to be from the CEO or their manager. The emails could state that they need assistance in processing a direct electronic payment for them that day. In almost every instance, that payment action is stated as urgent, and of a confidential nature.
For example, the organisation could be in the middle of purchasing another company, and the perpetrators are counting on the pressure and sensitivity of that delicate time to keep the employee from questioning the action. The FBI estimates this form of attack has already cost organisations more than $2.3bn over the past three years.
What should a treasurer do to reduce the risk of their group becoming a victim of such fraudulent acts?
Another area that leaves treasury departments vulnerable to threats is treasury technology itself – particularly how it is managed and hosted. A treasury management system (TMS) is a key tool in the treasury department’s world, and essential to managing the company’s cash positions and risk management.
It is critical that these systems are secure and properly maintained. Cyberattacks are increasingly targeting the software code that underpins applications and operating systems. With that in mind, it is imperative that key technologies are maintained and properly secured.
Treasurers should be asking the following questions about their systems:
If the answer is ‘no’ to any of those questions, then the company needs to look elsewhere. Many firms are running platforms that have been in place for years. It can take several more years to get new projects on the IT department’s radar – and often, the security team can be overwhelmed and too pressed for time to address the treasury environment.
There are many reasons why it is important for a TMS to run its latest technology or version, one of which is security.
Many of the older legacy systems had limited testing for application vulnerabilities. If a company is not running a fully supported version of its treasury solution, with up-to-date security and infrastructure updates, there is a strong chance that the system is at far greater risk of being exploited. The majority of cyberattacks target very well-known software vulnerabilities, which makes older versions far more susceptible.
However, too many companies don’t have adequate staff to keep all platforms at proper version levels, and system upgrades can take years to complete. The reality today, and moving forward, is that companies are moving more of their solutions – including TMSs – to a private cloud, or software as a service (SaaS), environment.
It is important to determine whether a private cloud or SaaS deployment fits a company’s requirements. Solutions in a private cloud are hosted in a secured, dedicated environment and are managed by vendors focused specifically around those products and services. Meanwhile, solutions in a SaaS deployment are running in a multi-tenant environment, in which a single instance of software is shared with other customers.
By utilising some form of cloud services (with managed services wrapped around them), companies can alleviate any pain points within the organisation that are already stretched too thinly.
Newcomers to the cloud often ask whether cloud environments are sufficiently secure. With proper review and controls, a cloud/managed solution is often far more secure than running treasury solutions in-house. It is important that a vendor is an expert in not only developing and managing the software itself, but the required expertise and security controls, too.
Here are some of the benefits of such services:
When it comes to data security and risks, treasurers are key decision-makers. They are responsible for actively monitoring the regulatory landscape and making the necessary changes to internal procedures.
There is one key characteristic that today’s treasurer must have: security consciousness – a constant awareness of potential security threats as a component of business risk. Their company’s financial condition, and its integrity, are on the line.