Treasurers Must Join the Fight against Cybercrime
Treasurers Must Join the Fight against Cybercrime
The article is published in gtnews on 16 March 2015.
The World Economic Forum (WEF) has estimated that failure to defend against cyberattacks will have an aggregate impact on the global economy of around US$3 trillion by 2020. Meanwhile, the Lloyd’s Risk Index in 2013 found that cyber risk is among the top concerns for more than 500 C-level executives around the world.
Indeed, 2014 was a bumper year for cybercriminals. The biggest US bank, JP Morgan, admitted a data breach affecting 6m households and 7m businesses. In the same year, South Korea lost the banking records of over 20m customers.
To date, the largest cyber attack in terms of the scale of damage - to reputation and data - was last December’s attack on Sony Pictures. Most of the company’s financial systems and other critical systems were disrupted or damaged for several weeks.
As the custodian of corporate funds, the treasury function plays a significant role in safeguarding the organisation from cybercriminals intent on perpetrating financial crime, or causing operational losses and reputational damage.
Three Areas of Concern to Treasurers
Given the relentless pace at which the scale of cyberattacks has increased, organisations need to take urgent action to combat cybercrime. The treasury function has a role to play in three crucial areas:
- Profit: Cybercrime can have an impact on company profits, due to data loss or manipulation of financial transactions and payments. Treasury needs to keep oversight on the protection of company ‘crown jewels’, such as data vaults and company funds.
- Company Reputation: There has been a relentless rise in cyberterrorism, where hactivists target companies because of their business activities, business ethics or who their customers are. Successful cyberattacks could damage a company’s reputation with customers, regulators and partner organisations. In turn, the company’s operational revenues and costs may be affected.
- Strategic Budgets: Treasury has to oversee the budgets and funding allocation for fighting cybercrime. This means dedicating increased budgets to the technology-focused first, second and third lines of defence in their companies. For example, investment in people, process and tools in the IT department (first line), IT risk management (second line) and IT audit (third line) can be increased.
Identifying What Needs to be Protected
Organisations should develop an information governance framework, to identify what needs to be protected.
Such a framework would comprise identifying information owners, understanding the information lifecycle, setting classification criteria and implementing suitable controls based on the sensitivity of the information.
As the custodian of the company’s investment, funding and strategic activities, the treasury function can take a lead in helping senior management identify the types of data which must be protected from cybercriminals.
Traditionally, the emphasis has been to protect customer data or personally identifiable information. However, cyberthreat also extends to company-sensitive information such as funding, mergers and acquisitions (M&As), investment decisions and other strategic matters that are within the purview of the treasury function - either in a support role or as the lead.
An Organisation-wide Approach
Having strategic insight into cyber risks and understanding the impact on your core business is paramount.
No plan is complete without accountability. While cybersecurity can be driven by the IT department, or the IT risk and security experts within the function, it is ultimately the responsibility of all within the organisation as cyberattackers are intent on damaging or stealing business assets, corporate and customer information and disrupting business operations.
While the IT function must get the buy-in from the organisation’s leaders, it is the treasury function that can take the lead to support IT through recognition of the impact of the cyberthreat to company profits.
The treasury function can escalate the need for cyber vigilance to the board, which must demonstrate due diligence, ownership and effective management of cybersecurity risk.
Insufficient governance and risk management of third parties and business vendors may provide opportunities for hackers to explore loopholes in the system.
The treasury function should therefore ensure adequate funding has been allocated for the company’s risk functions to effectively manage information risk in terms of its interactions with external parties.
Lastly, an effective cybersecurity plan must take into account business continuity and crisis management. Is the company ready to minimise the impact, should a breach take place? Are communication processes set up to ensure timely and accurate information flow?
Going Beyond Technology
Having security tools integrated into the organisation’s technology framework is essential as a starting point. However, tools cannot be a substitute for a coherent cybersecurity strategy.
The treasury function can help the company embrace an approach where a holistic and robust cybersecurity strategy drives the investment and selection of technological tools in the cyberdefence toolbox. This is opposed to blindly investing in technology tools before figuring out the right process and people to integrate the whole.
While technology can play a key role in averting attacks, the human factor is the weakest link when it comes to prevention and must be addressed. Key staff must be properly trained so that they are sensitive to potential vulnerabilities. Effort must be made to develop a security culture.
For example, social engineering, where hackers manipulate employees to gain access to systems, remains one of the biggest risks that organisations face.
Spear phishing is the most common attack vector that is often used to gain entry to a company’s critical systems. Due to insufficient awareness of the methods and threats posed by cybercriminals, staff may fall prey to these cyberattacks, allowing the crafty cybercriminal to by-pass or undermine the IT security defences in place.
Organisational methods to assess and report cybersecurity risks have to be developed. Protocols for determining risk levels and escalation procedures should be determined as well.
Data and Intelligence
The company’s risk functions must understand how threats and attacks evolve and learn how to anticipate them. What are the red flags? When should alarm bells start ringing?
For them to do so, intelligence is necessary. Treasurers should ensure that the company invests in threat intelligence - via partner organisations and vendors - so that it can analyse external and internal threat patterns to understand various threats. The company must also be fully aware of the short, medium and long-term risk implications.
Data is vital. The company must be able to collect and use the internal data available to get a complete picture of any unusual activities, data traffic and patterns of behaviour. Often, organisations remain oblivious for months that their cybersecurity has been breached.
The use of data analytics and detection tools will allow companies to better detect and respond to incursions.
This insight may allow treasury to come to more sensible security investment choices, reducing overall cost. It will also allow the company to have a response plan ready to hand.
Conclusion
Organisations have been focused mostly on technology and preventive measures. Yet, the millions of dollars invested into cybersecurity systems have proven to be insufficient.
As a key enabler of the fight against cybercrime, the treasury function must take the lead to ensure that cybercrime and its potential impact to company reputation and profits is minimised.
Treasury can help to put cybercrime onto the board’s and senior management’s agenda for strategic direction, so that adequate investments are made across the various functions in the company to manage cyberrisks.
The article is contributed by Daryl Pereira is Partner at KPMG in Singapore. The views expressed are his own.