Corporate treasurers must urgently strengthen continuity plans, communication strategies and basic cyber hygiene to remain resilient in the face of increasingly sophisticated cyber threats, according to experts speaking at the Association of Corporate Treasurers’ recent Treasury Forum panel.
Aisling Kavanagh, partner at Deloitte, chaired the discussion on “Countering cyber threats and remaining resilient” with two senior cyber leaders - Tim Kolk, head of strategic cyber intelligence at HSBC and Simon Viney, global accounts head of consulting and cyber security lead at BAE Systems.
Kolk emphasised that treasurers need to understand that cyber threats are driven by human actors. “Think of threats as humans and right now the big threat is ransomware,” he said. “These are the ones who get into your network, they will drop encryption fields, they’ll steal data and they’ll extort you.”
Viney agreed that while high-profile ransomware attacks dominate headlines, “the slightly lower scale… version of that is the fraud aspect. Can they get access to a payment system? Can they trick someone into doing a fraudulent payment somehow? Obviously, there are treasury implications for that.”
Both speakers warned that complex and often aging treasury systems create blind spots, especially where multiple vendors or legacy systems are involved. Kolk cautioned that treasurers must understand “how many of those [systems] are reliant on suppliers you’ve never heard of before. If one of these suppliers is hit, how do I remain resilient so I can keep serving my customers?”
Viney added that access control within treasury platforms requires particular attention: “Does everything use multifactor authentication? Because it absolutely should. Relying on just passwords to access any system that handles money is a really bad idea these days.”
The panel warned that many business continuity plans (BCPs) remain outdated or unusable in a real crisis. Viney stressed that treasurers must identify “the critical operational processes that you have to keep going”, asking: “What systems do you depend on?” And he cautioned against plans stored solely on corporate devices: “Please do not just keep it on your IT device. The IT devices won’t be able to access it.”
Kolk noted that ransomware incidents often trigger clients to disconnect wholesale, meaning treasurers must prepare for broken APIs, undelivered data feeds and blocked email domains. “Having a communications plan about what’s happening even if they're blocking your domain” is now essential, he said.
The speakers repeatedly returned to the theme of process discipline. Fraud attempts often succeed not because of advanced technology but human shortcuts. “Overwhelmingly what we see, particularly with the fraud side, is processes not being followed,” warned Kolk. “Even if it is someone who’s claiming to be a CEO, it’s really important that there’s a process in place and you just follow it.”
Viney reinforced that treasurers must empower staff to challenge instructions. “It doesn’t matter if it’s someone senior asking,” he said. “The junior person knows that the right answer is stick to the process and will be supported in doing that.”
Asked to identify the most important actions treasurers should prioritise, Kolk was unequivocal: “Number one is multifactor authentication. Most incidents are a result of not having it.” He added: “Second, keep your device up to date. Download updates right then and there.”
Viney’s final recommendation was to test resilience plans “Do a tabletop walkthrough,” he urged. “Do you understand what’s critical and how you would keep those processes running if either you or a supplier had a ransomware attack?”
Philip Smith is editor of The Treasurer
