It’s bound to happen. A corporate treasurer at a midsize company receives a confidential email marked “urgent” from the CEO with instructions to wire $750,000 to an overseas bank account as down payment on a pending acquisition.
Knowing such a deal is underway, and not wanting to question a senior leader’s directive, the treasurer quickly complies and heads home for the day.
The next morning, the treasurer awakens to a furious phone call from the CEO demanding to know why such a huge sum of money went out the door without the CEO’s personal approval. Later that afternoon, as it becomes clear the confusion is the result of a spear phishing scam and the funds have been stolen, that treasurer is fired.
Treasurers do not usually get much attention in corporations. They are typically invisible spokes in the financial wheels who process internal and external disbursements and keep the finance function running smoothly and efficiently. But recently, as treasury management systems (TMS) have gone online, treasury transactions have become exposed to the world—and to hackers.
As a result, many treasurers find themselves wearing an unexpected new hat: cybercrime fighter.
“A treasury’s trove of personal and corporate data, its authority to make payments and move large amounts of cash, and its often complex structure make it an appealing choice for cybercriminals,” according to a report from the Economist Intelligence Unit and Deutsche Bank.
Corporate treasury hacks are waiting to happen
Many of the more high-profile attacks involving treasurers have targeted government agencies. But that doesn’t mean corporate treasurers are immune. An Association for Financial Professionals (AFP) survey reports that 71% of corporations were victims of either payment fraud attacks or attempts in 2021, and nearly 70% were targeted through business email compromise (BEC), with accounts payable departments being most susceptible.
There is going to be someone, somewhere, who finds a way into your system. Treasurers need to plan for what they’ll do when that happens.
Naresh Aggarwal, associate director of policy and technical for the Association of Corporate Treasurers (ACT) in the U.K., says that while many of these attacks often fly under the public’s radar, it’s only a matter of time before corporate treasurers find their departments falling prey to the large hacks that have plagued their public-sector colleagues.
“It’s a fallacy to think that any organization can make themselves immune to attack,” says Aggarwal. “In this cat-and-mouse security game we play, there is going to be someone, somewhere, who finds a way into your system. Treasurers need to plan for what they’ll do when that happens.”
Aggarwal says treasurers, as gatekeepers to the money, do have a natural tendency to be risk managers. Unfortunately, relatively few have technology or security backgrounds.
Treasurers are becoming cyber aware
With the rising sophistication of cyberattacks and the pressing need to prevent treasury management systems from becoming digital speedways to corporate coffers, that is changing.
Indeed, treasurers in a 2022 ACT global survey (“Treasurers on High Alert”) cited cybersecurity as their primary concern, eclipsing inflation, COVID-19, geopolitical uncertainty, and environmental challenges. Eighty percent of treasurers polled said their organizations are investing in cybersecurity technologies, up from 72% in 2021.
Treasurers do not typically determine the security solutions their companies purchase, although many are involved in cyber insurance purchasing decisions. Compared with the situation a decade or so ago, they are increasingly partnering with finance, operations, and security leadership on such purchases. They also share responsibility for gaining approval for tech funding from the C-suite and board of directors.
Fighting risk and taking names
Aggarwal says the most effective corporate treasurers not only regularly connect and communicate with senior-level colleagues about risk management, but they also help plan and clarify roles and responsibilities for each function in anticipation of future cyberattacks. In addition, they keep the C-suite and board informed of the security controls they’ve deployed and the penetration testing they’ve conducted. In short, they are collaborative and communicative.
“The treasury team should never operate in a silo,” Aggarwal stresses. “It is important for them to lead conversations in this financial risk-management space. And that means they will need to fully understand the cyber-risks, even if they don’t understand all the technical details behind them.”
To help organizations head off a hack, and minimize damage in the event one occurs, treasurers speaking with Endpoint recommend the following steps.
1. Help establish global security policies. According to ACT, the treasurer should work with senior cybersecurity leaders to create and enforce consistent security policies, particularly those related to payments. Policies should include a series of digital checks and balances to prevent spear phishing scenarios, in which employees are tricked into transferring money to third-party accounts. Aggarwal says policies could also involve creating a “payments champion” to scrutinize large disbursements prior to finalizing them.
2. Ensure IT prioritizes the treasury function. IT leaders often allocate the most attention to departments that have the greatest number of users accessing its systems. But Royston Da Costa, assistant group treasurer at Ferguson, a $23 billion plumbing and heating company, says cybersecurity leaders should be just as concerned about protecting critical assets like a company’s treasury as they are about its endpoints.
When he first joined his company 20 years ago, Da Costa sought premium security support for his department, which had only four employees at the time. The IT team initially dismissed the request. “We were relegated to no-man’s-land,” he recalls. “It took me quite a while to change their minds.”
Eventually, Da Costa managed to convince IT that the main issue was the risk that treasury managed, not how many people used the systems. “That was a big eye-opener for them,” he says. “In those days, we managed about $2.1 billion worth of funds. As soon as they got that, the bells went off and they put us at the top of their priority list.”
3. Establish a treasury-specific cybersecurity program. In its report, Deutsche Bank noted that if cybersecurity is an objective, treasury should have its own cybersecurity management initiative, ideally aligned to a corporate strategy—and that strategy should extend to all people and processes likely to interact with treasury, including everyone in corporate treasury, the banks that process a company’s transactions, SWIFT bureaus that provide bank-connectivity solutions, automated clearinghouses that provide payment solutions, and credit card processing providers.
4. Embrace current technologies. Treasury management systems are critical for managing a company’s cash flow and risk. But systems engineered years ago may lack the security features needed to fend off modern cyber threats. Even if they are more recent, systems can still be vulnerable if they aren’t regularly updated or patched.
We managed about $2.1 billion worth of funds. As soon as [the IT team] got that, the bells went off and they put us at the top of their priority list.
ACT recommends that treasury departments regularly assess whether they are running current TMS versions and whether they have enough internal IT resources to operate and secure the system. If a treasury department decides to design or deploy its own proprietary technology, Da Costa further recommends confirming that the company’s CISO has signed off, to avoid potential compatibility or support issues down the road.
5. Train, train, train. Even with the best and most current technology, however, vulnerabilities always creep in. “The main weakness in cybersecurity is humans and always has been,” says Chris van Dijl, an international treasurer, trainer, and founder of business management consultancy Cugavadi. “Fraudsters are becoming much cleverer about taking advantage of people, and they can outrun any treasury department that isn’t adequately prepared.”
Security professionals say it’s vital—especially with many employees working from home—to instruct workers about secure payment processes as well as current phishing, social engineering, and malware threats. While 69% of employees in a 2021 TalentLMS and Kenna Security survey said they had completed cybersecurity training, 61% failed follow-up quizzes.
At the end of the day, corporate treasurers must play a more active role in the cybersecurity of their organizations. This means stepping up, making their presence felt, and leading by example to secure their company’s money.
Because if they don’t, there’s no guarantee anyone else will. After all, the buck stops with them.