In the UK, cyber incidents categorised as “highly significant” have increased by 50% compared with a year ago, causing disruptions to essential services, according to the UK National Cyber Security Centre (NCSC). In response, the UK government’s upcoming Cyber Security and Resilience (Network and Information Systems) Bill and NCSC guidance will require organisations to establish documented incident response plans, including playbooks and other relevant artefacts ready and tested as part of the wider cyber-attack preparedness journey.
Often businesses think of cyber attacks as an IT problem, but it’s a danger that can affect the whole business including financial, reputational and regulatory impact. The treasury function is at the centre of this problem since it controls liquidity, payment systems and access to important financial assets. This makes it a prime target for hackers. Ransomware and social engineering are two types of common attacks that can stop cash flow, freeze transactions and even bring the business to a complete standstill.
Because of this, the treasury team has both an operational and a strategic role in ensuring that finances remain strong and stable throughout a cyber crisis.
Key considerations for treasury to be better prepared for/during a cyber attack:
1. Immediate payment freeze
- The treasury lead should liaise and alert banking partners to block all outgoing payments until the agreed delegation of authority approves any payments. It is prudent, as part of the cyber attack preparedness journey, to decide who within treasury and the wider finance team can execute such decisions. The head of legal should also be involved, as in most cases they would be listed as a director on the banking partner’s mandate.
- Ensure that emergency contact protocols with banks are up to date and proactively engage with banks to determine the best and most secure method of communication.
2. Validate liquidity access
- Treasury should work with senior management to ensure access to emergency crisis credit lines and cash reserves via secure, out-of-band channels.
- As an emergency workaround, collaborate with the business to consolidate manual payroll and critical vendor payment processes in order to ensure the company has sufficient working capital and cash to sustain the emergency, which could last several weeks.
3. Secure banking credentials
- Regularly update and secure credentials for treasury systems and banking portals to ensure access is strictly on a need-to-know basis.
- Access management, in general, should be enforced with multi-factor authentication and least-privilege access.
4. Activate the treasury business continuity plan
- Switch to offline approval matrices and document where you can, rely on manual workarounds and execute these processes when systems are down to ensure business continuity.
- Document the list of critical treasury systems, including IT, and understand the backup plan and the time required to restore coverage for these systems. Ensure such backups are stored securely and can be retrieved easily when needed. While IT and cyber support these efforts, the treasury function must take accountability for working with such teams and communicating what is required from a data and systems perspective.
5. Monitor for fraudulent instructions
- Implement strict dual verification for all payment requests. For instance, consider including voice callbacks and secondary approvals.
- Train the team with scenario-based playbooks for social engineering attempts during a crisis.
6. Coordinate with finance and legal departments
- Align on contractual liability, wider obligations and cyber insurance. Additionally, the coverage of such an insurance should be actively reviewed by treasury and the wider finance team.
- Support the legal function on any documentation for potential regulatory reporting.
7. Engage with cyber and IT teams
- Validate the integrity of treasury systems before resuming operations to assess safety and further contamination.
- In alignment with the in-house team and external firms, as relevant, support forensic checks on payment files and banking integrations.
8. Prepare cash flow protection plan
- Build an emergency liquidity forecast for immediate needs and a short-, medium- and long-term plan.
- Prioritise essential payments (payroll and critical suppliers).
9. Communicate with executive leadership
- Provide real-time updates on financial exposure and liquidity status.
- Participate in crisis decision-making for ransom stance and recovery costs.
10. Documentation
- Maintain a secure log of all actions taken for audit and insurance claims.
- Preserve evidence of fraudulent attempts or compromised transactions to facilitate investigation and prosecution.
One of the most overlooked aspects of cyber incident response is communication. When primary systems, including email and messaging platforms, are compromised, organisations risk losing the ability to coordinate. The solution is secure out-of-band communication channels, which operate independently of corporate networks and provide encrypted messaging and voice capabilities.
These channels allow executives, treasury and crisis teams to:
- Share instructions without attacker surveillance.
- Access offline copies of critical playbooks and financial contingency plans.
- Cascade messages quickly to internal and external stakeholders.
Pivotal role of treasury
In conclusion, cyber security is an enterprise-wide responsibility, and treasury plays a pivotal role in safeguarding financial stability during a crisis. A cyber attack can disrupt payments, affect liquidity and have a ripple effect across all business functions, including bodies such as regulators, with significant reputational impact. With the UK government emphasising documented response plans and resilience measures, businesses must integrate treasury into their cyber playbooks and establish secure offline communication channels to ensure coordination when digital systems fail.
Preparing now is a strategic imperative to protect assets, maintain trust and enable rapid recovery in an increasingly hostile cyber landscape.
About the author
Aben Pagar is a director at Konexo, part of Eversheds Sutherland
