Why treasurers’ role in the cybersecurity fight is vital

As treasurers’ boardroom presence grows, their influence on cybersecurity measures will be crucial as threats increase

We live in a world where information is circulated continuously, across various territories, without ever stopping or slowing down. In the corporate world, data is highly sensitive and growing all the time – plus, cloud and mobility are becoming ever more prevalent.

That has produced a strong need for tight data-security controls and related compliance measures, particularly in the fields of company and customer data.

Corporate treasury is the nerve centre of any organisation’s finance operations. Its reliance on IT for risk operations, real-time cash visibility and analytics is critical for timely business decisions. As treasurers are on the front line of operations, and at the centre of the banking and payments world, their need to protect assets is especially pressing.

Data security and compliance are key considerations for treasurers and CFOs in every aspect of corporate systems and applications. While IT departments and security functions aid a business in its efforts to evaluate and mitigate risks, they cannot take on those burdens alone.

A growing security threat

As such, the treasurer’s role has elevated to an active part of the security decision-making process. Treasurers, together with CFOs, must work to encourage board-level awareness, while supporting and empowering the risk committee to research and implement necessary protocols. Treasurers must not lose focus on these matters, and must remember that theft of data can be just as damaging as theft of cash.

In addition to risk being a crucial factor to manage when it comes to the role of the treasurer, compliance also plays a huge part. To remain compliant, treasury departments must tighten their controls and align with industry regulations. If controls are inadequate, greater risks can arise and the possibility of fraudulent activity increases.

Since they have access to the cash flow behind their firms’ operations and hold the keys to crucial bank accounts, treasury departments are becoming favoured targets for cybercriminals.

So, how are cybercriminals targeting – and successfully extracting – funds transferred from corporations? Simply put: spear phishing attacks, which focus on a single user or department within an organisation, are addressed to appear from someone within the company in a position of trust, requesting information and thereby prompting insecure acts.

In the most common variation, cybercriminals are sending emails to employees in the treasury department that appear to be from the CEO or their manager. The emails could state that they need assistance in processing a direct electronic payment for them that day. In almost every instance, that payment action is stated as urgent, and of a confidential nature.

For example, the organisation could be in the middle of purchasing another company, and the perpetrators are counting on the pressure and sensitivity of that delicate time to keep the employee from questioning the action. The FBI estimates this form of attack has already cost organisations more than $2.3bn over the past three years.

Reducing risk by keeping treasury management solutions up-to-date

What should a treasurer do to reduce the risk of their group becoming a victim of such fraudulent acts?

  1. The treasury department should have open communications with their firms’ internal risk and security teams, and invite them not just to discuss current threats, but actively educate treasury employees. This activity should not just be a one-time event, but ongoing, to ensure it stays at the forefront of employees’ minds.
  2. The treasurer should work with whoever is responsible for cybersecurity to establish, and enforce, standardised polices globally – especially regarding payments that eliminate exceptions. If there are strict policies and controls in place and they are enforced, then even if one individual is tricked, a second checkpoint as a minimum requirement should prevent such fraudulent activity from recurring.
  3. The treasurer should ensure that their treasury systems support – and are configured to apply – the necessary controls and authorisations that will enforce the correct policy.

Another area that leaves treasury departments vulnerable to threats is treasury technology itself – particularly how it is managed and hosted. A treasury management system (TMS) is a key tool in the treasury department’s world, and essential to managing the company’s cash positions and risk management.

It is critical that these systems are secure and properly maintained. Cyberattacks are increasingly targeting the software code that underpins applications and operating systems. With that in mind, it is imperative that key technologies are maintained and properly secured.

Treasurers should be asking the following questions about their systems:

  1. Is my TMS running a current version?
  2. Do we have enough internal IT resources to operate our treasury technical landscape and keep it up to date?
  3. Do we have the proper security staff in place?

If the answer is ‘no’ to any of those questions, then the company needs to look elsewhere. Many firms are running platforms that have been in place for years. It can take several more years to get new projects on the IT department’s radar – and often, the security team can be overwhelmed and too pressed for time to address the treasury environment.

Moving beyond inflexible legacy systems

There are many reasons why it is important for a TMS to run its latest technology or version, one of which is security.

Many of the older legacy systems had limited testing for application vulnerabilities. If a company is not running a fully supported version of its treasury solution, with up-to-date security and infrastructure updates, there is a strong chance that the system is at far greater risk of being exploited. The majority of cyberattacks target very well-known software vulnerabilities, which makes older versions far more susceptible.

However, too many companies don’t have adequate staff to keep all platforms at proper version levels, and system upgrades can take years to complete. The reality today, and moving forward, is that companies are moving more of their solutions – including TMSs – to a private cloud, or software as a service (SaaS), environment.

It is important to determine whether a private cloud or SaaS deployment fits a company’s requirements. Solutions in a private cloud are hosted in a secured, dedicated environment and are managed by vendors focused specifically around those products and services. Meanwhile, solutions in a SaaS deployment are running in a multi-tenant environment, in which a single instance of software is shared with other customers.

By utilising some form of cloud services (with managed services wrapped around them), companies can alleviate any pain points within the organisation that are already stretched too thinly.

Newcomers to the cloud often ask whether cloud environments are sufficiently secure. With proper review and controls, a cloud/managed solution is often far more secure than running treasury solutions in-house. It is important that a vendor is an expert in not only developing and managing the software itself, but the required expertise and security controls, too.

Here are some of the benefits of such services:

  • Private cloud/SaaS providers typically have greater resources to dedicate to managing security, with resulting gains in protection and oversight;
  • By choosing a private cloud/SaaS solution, the software and the entire hosting infrastructure is continuously going through security checks to ensure any holes are remedied and the system is kept up to date;
  • Other users of the cloud platform are continuously vetting and validating the security controls that you all benefit from; and
  • Treasurers gain additional features and controls they may have had to wait years to obtain if they had continued to operate solutions in-house. Their teams are afforded the opportunity to work more efficiently and securely.

When it comes to data security and risks, treasurers are key decision-makers. They are responsible for actively monitoring the regulatory landscape and making the necessary changes to internal procedures.

There is one key characteristic that today’s treasurer must have: security consciousness – a constant awareness of potential security threats as a component of business risk. Their company’s financial condition, and its integrity, are on the line.

For further information

Visit the FIS website.

Scroll to top