Virtual chaos and treasury vulnerability to cyber-crime
In 2017, cyber-crime was undoubtedly the word on everyone’s lips in treasury departments, along with blockchain. What is it? Are treasurers the intended potential victims? How do you prepare for the worst in an uncertain world? The risk of computer crime should be tackled in the same way as any other risk, without relying solely on the group IT people, or the CIO or CISO.
Are you really prepared for the risk of computer crime?
The biggest worry is that most treasury departments have not yet prepared a contingency plan or potential scenarios of situations that might affect them. Scary, isn’t it? However, treasurers – the guardians of the temple of cash and short-term investments – are vulnerable and play a key role in every organisation. Protecting them becomes an even more pressing need. The problem arises, as with drugs and doping in professional cycling, from the growing and terrifying inventiveness of internet criminals. They are always a few steps ahead of you and are devoid of scruples. Devious attacks may spring up from anywhere, which is where the problem lies. Treasury fraud and ransomware are very much in vogue. It is the paradox of sophistication that the rise and spread of computerisation throughout the world makes these attacks all the more harmful and damaging. The imagination of hackers knows no bounds. You are not roped off in a ring, instead you need to fight on all fronts, which makes it a dangerous battle. The role of treasurers in protecting against computer fraud is therefore to educate and to strengthen internal controls, at the price of additional costs and a heavier administrative burden. For the last few years we have regularly used penetration tests and some reformed hackers now offer their services to the finance industry. Preparing yourself for the unthinkable and all the rest is not in people’s nature, even though their jobs may involve managing risk. What every single one of them wants above all else is never to appear in any financial newspaper. To be happy in finance, you need to maintain a low profile and keep your head below the parapet, as the old saying goes. We should bear in mind that even SWIFT has been attacked (i.e. Bangladesh Bank), Google and Facebook have been victims of payment scams, and credit card details have been disseminated by malware. Spectre, Meltdown and more have appeared more recently, and there are too many others to mention them all. The fact that they process important, high-value transactions involving intensive use of technology (the most intensive in finance department) makes the role of treasurers, the CFO’s corsairs, crucial. Over 80% of treasurers questioned at recent conferences and surveys stated that this risk was right at the top of their current list. It is a fair bet that it will stay there for quite some time.
The key merit of .centralisation, if nothing else, is that it prevents risks or gathers them together in one place to limit vulnerability. But that is not enough. The problem arises from the failure to allocate sufficient human resources and sometimes financial resources to averting risks of this type. What should worry us most is that this new form of criminality is growing at double-digit rates each year.
"According to ALLIANZ 2018 barometer, cyber-risk is the top one, as a consequence of the growing digitization of economy." - François Masquelier, Chairman, ATEL
How should we tackle the threat of cyber-risk
There is no perfect method, but CISO’s and CIO’s try to embed best practice, as do Chief Risk Officers (CRO’s). This involves painstaking and gruelling work, because hackers are incredibly agile. Whenever any loophole is plugged, another may appear. You never really have time to take a breather or relax.
Behind each hacker or fraudster there lurks a human being
Fortunately or unfortunately, we should never overlook the human dimension in fraud, even IT fraud. It may also have its roots in avoidable or unavoidable errors, negligence or intent by employees to harm the company or to enrich themselves at its expense. Hackers and fraudsters are human beings. Their behaviour may be slightly different, but they must be understood and appraised. They have specific motivations and sometimes, for internal fraud in any case, you can try to avert it by careful selection of staff, through giving information and through education on how to tackle risk. The problems may very often derive, for example, from social networks (social engineering attacks), from phishing, and from all those treasury tasks that are not sufficiently automated or are too manual. So prevention is all too often neglected. Well-informed employees who have had the risks and consequences explained to them will be more careful. Those with ill intent will tend to think twice about attempting fraud. It seems certain that the greater part of the compensation claims submitted to insurance companies (2/3) comes from proven frauds arising from human behaviour by employees of the company itself – negligence leading to losses or penetration by hackers, spyware, etc. Deficient practices, unintentional negligence, errors in following procedures and the like are as frequent as they are avoidable if tackled properly. Management and CIO’s focus on systems whereas human beings could also play a substantial role, voluntarily or otherwise. Some businesses try to develop a «cyber-smart employee» culture, identifying possible gaps in skills and providing training to remedy them as far as possible. Commitment from everyone is critical in this never-ending battle. What is needed is procedures, policies, training sessions, practical advice, coaching and prevention. Seeing IT fraud as being confined to hackers alone would be to take far too narrow a view. We put too much emphasis on IT and machines, whereas they are no more than machines. A centralised approach to managing this also has merits. It is worthwhile laying down group tools and policies. Requiring 100% of payments to be encrypted and using a single ISO 20022 type format would seem to be a good solution, for example. Avoiding multiple local electronic banking systems would be means of prevention through standardisation. Avoiding multiple interfaces, and also state-of-the-art systems, are advisable. The new EU Directives and measures coming into force, such as the GDPR, may provide an opportunity to review and revisit certain processes to make them more robust.
But what is cyber-crime, in the final analysis?
IT crime covers all crime involving a computer and/or the internet. Computers may be used in committing the crime, or may be the targets. It is an offence committed against individuals or groups of individuals by people with criminal motives who intentionally damage a victim’s reputation or cause physical or mental harm to the victim, directly or indirectly, by using modern telecommunications networks such as the internet or mobile phones. Such crimes can threaten the security and financial health of a nation or a business and have financial and reputational consequences of unlimited extent. This is certainly a very wide definition, but it is comprehensive and covers what we are talking about.
"Subscription to cyber risks insurance policies has double
in a year and with GDPR, it should increase even further!" - François Masquelier, Chairman, ATEL
How can we mitigate these IT risks of hacking and of both internal and external fraud? The answer will not be found in a book of magic spells. But we may be able to offer a few worthwhile tips (see the graphic below). These are only basic outlines to which everyone should add their own prevention measures. Let us bear in mind, too, that there are some initiatives in existence that are worth highlighting, for example SEPA mail DIAMOND, which has been introduced in France for the secure transmission of IBAN bank details – the problem lies in the lack of standardisation, once again, and the lack of real will on the part of certain banks; SIS ID to check the match between the account number and identifier by awarding a score; dedicated anti-fraud modules such as those offered by KYRIBA, based on big data and behavioural analysis, to isolate suspect behaviour; there are many online training courses on prevention; etc.
Don’t be easy prey!
Countering IT risk or cyber-risk is the responsibility of everyone, particularly treasury departments which, because of their high volumes, are very exposed and are the targets of choice. They are natural prey. We have offered you a few tips for averting these risks. It is through the widest-ranging and most coherent combination of these methods that success can be achieved, and that the onset of risk can be averted. The way to limit risk is through the use of these cutting-edge, powerful and secure tools, by applying a coherent group strategy, with special alerts and by following best practice. You need to identify the risk, protect yourself against it, detect it or the signs of heightened risk, and react appropriately and recover if need be (in the last resort). One of the best means is training and sharing the feedback from experience. Obviously, you can take out insurance; but this is no magic bullet, and the insurer will ask for evidence of the action you have taken to ensure the risk is kept down to the minimum. Having insurance does not mean you can relax and rely on the systems in place. Quite the opposite, you have to keep on demonstrating to the insurer that you are a continuing to enhance your prevention and protection measures. You need to revisit them and improve them continuously, unfortunately. If there is an incident, you can be sure that either the premium, the excess or the insurer will change. Managing IT risks is a culture, a mindset and a way of working. And we should not forget that top management must set the tone. Another key component for success in this relentless struggle is the cohesiveness of the people involved and the stakeholders.
"The number one priority for Corporate Directors is cyberattacks (according to recent survey from Akin Gump Strauss Hauer & Feld)." - François Masquelier, Chairman, ATEL
It has been said: “When it comes to security, the digital transformation demands an approach that has been radically reshaped compared to the traditional approaches, together with comprehensive methodologies to tackle the threat, from keeping a watch and surveillance through to managing attacks and crises” (Bertrand Hasnier-Sopra Steria Consulting). We cannot advise treasurers and CFOs strongly enough that they should radically review their strategic approaches to managing IT risk. Because the hackers have not yet finished with us, specially if you think about Steve Jobs’ words: “It’s more fun to be a pirate than to join the navy”