Source: KPMG Corporate Treasury News, Edition 43, May 2015 - Economic losses add up to more than 50 billion euros a year in Germany alone and as much as a trillion dollars worldwide. Every second company is affected – witness prominent examples such as Sony, JP Morgan and, of late, even the Bundestag, the lower house of the German parliament.
There can be no question that awareness of the threat of digital attacks has risen alarmingly in recent years, not least due to media coverage. Given the number of unrecorded cases that likely go unnoticed, or that companies consciously conceal for fear of damage to their reputation, the actual scale of the problem is probably even greater. Either way, the World Economic Forum expects the losses caused by cyber-attacks – be they espionage, data theft or deliberate sabotage – to triple worldwide between now and 2020.
In light of the potential impact on corporate treasury functions, it is therefore important to ask why treasurers should concern themselves with this kind of threat within their sphere of responsibility, and where steps must be taken to guard against specific threat scenarios. To borrow the term IT security experts use to denote data and information that require special protection, what are the treasury's "crown jewels"? Answering this question is of fundamental importance: If you don't know what you need to protect, you won't do it.
One thing is clear: The scope of responsibilities grouped together in a treasury department is what determines the nature and scope of sensitive information. Where a central unit does everything from managing liquidity and financial risks to defining investment and financing strategies, the indirect consequences of having relevant information fall into the wrong hands should be obvious. At the same time, digital attacks and manipulation will directly affect a company's earnings in particular in areas where financial transactions and payments are processed. Attacks on payment transaction systems can lead to mistakes in remittances or even directly impair a company's ability to pay its bills.
To identify specific threat scenarios in the payment transaction environment, it is necessary to examine the entire process chain for standard outgoing payments – from the moment the invoice is received to electronic transmission of the cash out instruction to the bank. This chain spans a whole series of individual checks and approvals (such as invoice verification, payment orders, signature verification, maintenance of recipients' master data and bank approval), some of which are performed manually or with the support of a variety of systems (such as the ERP system, the treasury management system and electronic banking applications). The result? There are any number of points at which payment transactions can be intercepted and manipulated during this process and/or at the IT level. Anyone who knows enough about the controls to be sidestepped and the technological environment in general can thus siphon off significant amounts of money from the company. Attacks launched in this context are normally not one-time offensives, but slow processes that gradually assimilate knowledge about the weaknesses inherent in processes and systems. Paradoxically, the danger is heightened where payment transaction processes are more heavily centralized, to the extent that the central treasury departments responsible for payment factory concepts are no longer able to check the correctness of every individual operational transaction before they are forwarded to the bank.
Only in very rare cases does the real threat stem from archetypal external hackers who infiltrate systems via the Internet and manipulate payments or, for example, penetrate secure but standardized communication channels with regular banks. The majority of IT security incidents occur "on location" at a given company and are triggered by current or former employees with enough savvy to identify and exploit relevant security loopholes. It makes no difference whether the weaknesses are of a technical or process nature. At second glance, seemingly harmless questions about who is responsible for vendor master data appear far less innocuous. The issue at stake, after all, is the data for payment recipients which, if suitably manipulated, can be used to reroute remitted amounts. Nowadays, attempts to leverage "social engineering" in order to gain access to confidential company information are a regular feature of many cyber-attacks.
The key question for treasurers thus relates to steps that must be taken to contain the potential threats. Isn't it the IT department's job to deal with cyber-security and avoid IT and security risk exposure? In this context, IT is primarily responsible for establishing a comprehensive security management system that protects, monitors and constantly screens networks and systems both during regular operation and whenever new developments are made or versions are launched. However, this kind of security management can only be sensibly established if responsibility for the data and information is firmly anchored in the relevant specialist departments. Which is precisely where treasurers come in: First and foremost, they need to know what their "crown jewels" are and what potential threats exist. This assessment helps them make the case for funding and budgets for security measures in negotiations with the management. At the same time, it helps them prioritize and assess the effectiveness of IT's proposals and recommendations – and thus to avoid aimless investments in technology for technology's sake.
True, technology will always play an important part in any no-gaps strategy to guard against cyber-attacks. But it is never the only issue. In treasury functions – mainly in the context of payment transactions, on account of their direct monetary impact – the human factor remains the principal target of premeditated attacks and attempts at manipulation. The important thing is therefore to cultivate an awareness and understanding of security issues among staff, keep them sufficiently informed and trained to deal with topical scenarios such as social engineering, and take adequate steps to prepare them for exceptional situations such as emergencies and system outages. In treasuries, as in other departments, no one knows when a cyber-attack will strike. By establishing a comprehensive security culture and taking integrated precautionary measures on both the human and IT levels, however, it is at least possible to substantially reduce the likelihood that attacks will do serious damage to a company's bottom line and reputation.
Author: Michael Baum, Senior Manager, firstname.lastname@example.org
© 2016 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative (“KPMG International”), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten.