With their fingers on the corporate purse strings, and a growing role in setting and executing business strategy, treasurers act as the lynchpin of any large business. With this increasingly prominent role, however, comes many risks. With their hands on the levers that control, manage and secure a company’s finances, treasurers are becoming the favoured targets for cybercriminals. According to a recent study by HSBC, 82% of treasurers cite cybersecurity as their biggest concern.

The same report also noted that treasurers are increasingly tasked with understanding and mitigating cyber risks as part of the significant expansion of the role’s duties over recent years. They have come to play a key part in managing a company’s complex risks, regulatory oversight and treasury technology.

At the same time, treasurers also have ultimate responsibility for many of the areas most commonly targeted by cybercriminals – including cash balances, global bank connectivity, high-value payments processing, and the maintenance of repetitive payment instructions. As digital transformation continues to reshape the finance function, there is potential for bad actors to exploit any vulnerability in the network, and the human link in the chain is often seen as the weakest.

“Treasurers are often the keepers of all treasury knowledge, which is clearly both a strength and weakness,” says treasury expert David Faller, an adjunct lecturer in professional studies at Northwestern University, and senior vice president of capital markets at Associated Bank.

“As they have the authority to initiate activities like wire transfers and have links into all the connecting internal and external systems, saving passwords or, worse, a single sign-on (SSO), hacking into this account can quite literally give you the keys to the banking and finance car,” Faller continues. “Mitigation through dual authorisation can help but, in reality, hacking into a treasurer’s accounts opens a potential treasure trove of access.”

Close the purse strings

Cybercrime is a lucrative business. Indeed, the World Economic Forum estimates that the direct damage from cybercrime cost the world $6.3trn in 2021, equating to 6.3% of the total global economy. Lured by such huge profits, cybercriminals will inevitably keep on finding new and ingenious ways to break into a victim’s virtual vaults.

Furthermore, hackers seem happy to target businesses across all industries and of all sizes. PwC’s ‘Global Economic Crime and Fraud Survey 2022’ shows that cybercrime is the main cause of fraud in industrial manufacturing, the public sector, health, technology, telecoms and many other sectors – and is a close second to customer fraud in several others. For companies of all sizes, the survey showed that cybercrime was the cause of around one-third of all fraud experienced.

Understandably, the perception of risk is growing, not least because of the growing number of successful data hacks, phishing attacks and ransomware operations.

For his part, Faller notes that the vulnerability of treasurers is something that companies – and treasurers themselves – generally recognise, even if cybersecurity is sometimes seen as a mere IT issue. Certainly, the information security team should play a major role in securing the network, and the firewalls around specific systems should not be within the remit of the treasurer, but cybersecurity is nonetheless a matter for everyone within any given organisation.

“Both the treasurer and the information security team have important roles,” Faller says. “IT will understand the tech architecture and environment, but treasurers will understand how the systems interlink to the external world in a deeper way than the average IT executive. I would see them both as having complementary and necessary roles.”

Treasurers are working more closely with cybersecurity personnel to standardise policies and – though their risk profile has grown and they have become more visible on the radar of cybercriminals – that collaboration means the situation is far from hopeless. Among other things, the process of digital transformation across large organisations is moving them away from inflexible legacy systems that have a number of inherent vulnerabilities.

Yet if there are plenty of proactive measures that treasurers can take to keep their operations secure, they must first ensure they fully understand the nature of the threat.

“Treasurers need to understand that cyber risk can take many forms,” Faller says. “Most focus on the risk to their firm but hacking into firm A can be a conduit to Firm B. Say a hacker gets into the systems of a smaller firm A – which is most likely relatively easy – and Firm A has a business relationship with a large firm, B. By accessing A’s systems, they can gain valuable information on things like payment details or billing schedules that might be used to divert payments, generate false invoices and so on.”

“It’s also important to remember that all hacking issues are not the quick, one-shot smash and grab style of theft,” Faller adds. “There can be slow-burning hacks that fly under the radar because they don’t generate individually significant thefts, but over time, these amounts can be significant. To address this, treasurers need to start thinking like hackers.”

To think like a hacker, treasurers must, among other things, understand the routes into their systems – and pay close attention to those systems and processes that could result in the most valuable hauls.

37%

The percentage of executives in the US concerned about a cyberattack on their company.

Munich Re

“Treasurers are often the keepers of all treasury knowledge, which is clearly both a strength and weakness.”

Once again, individuals are often the weak link here. Cybercriminals often find their way into a network through compromising a person with access, stealing passwords, infecting a device they might connect to the network or exerting pressure on them to disclose sensitive information. That is an issue that is harder to contain, but one which treasurers must ensure they are keenly aware of.

“It is difficult to mitigate that risk because it just takes one person to drop their guard and the door opens,” says Faller. “System monitoring, compartmentalisation, and strong cyber defences are great but they can be defeated by a single action by a human. It is a constant struggle.”

Collaboration is key

Effective cybersecurity relies on many different tools, from the purely technological to the common sense of people with priority access to sensitive information. From the treasurer’s perspective, there are some simple and clear principles that can be adhered to in order to make cybersecurity part of their daily routine.

“Valid, effective controls are the key,” says Faller. “As every firm is different, controls need to be tailored, but they must at a minimum ensure that a single person cannot instigate a start-to-finish treasury activity.”

Furthermore, whatever controls are in place, cybersecurity policies outlined, or technological tools put to work to protect a network – compliance must be more than a box-ticking exercise. It should be part of the routine thinking of any senior executive or, indeed, anyone with access to a network that could become an avenue for fraud.

1,243

UK firm IT Governance discovered this many security incidents in 2021, which accounted for 5,126,930,507 breached records. That represents an 11% increase in security incidents compared to 2020.

IT Governance

“System monitoring, compartmentalisation, and strong cyber defences are great but they can be defeated by a single action by a human. It is a constant struggle.”

“From above, companies need to be focused on creating environments specific to the risks they face, rather than the often used off-the-shelf approach,” says Faller. “They need to do the basic grunt work of understanding the size, nature and relevance of risk, and develop plans to mitigate, manage or accept the risks inherent in their organisations.”

As Faller stresses, relationships with partners, suppliers and customers can be a vector for attack, so measures to combat cybercrime cannot be taken in isolation. There needs to be a discussion around the paths of communication between companies – all of which can create vulnerabilities.

Collaboration with banking and technology partners is also essential, as all stakeholders in the payments industry face a constant battle to keep up with the innovative tools hackers are using to break the locks on corporate networks. Acting together, in short, is the only way that corporates, banks, IT providers, treasurers and information security professionals can hold back the tide of cybercrime.

Cybercrime is a game in which the rules are always changing – but with a tight defensive line, in which treasurers help call the shots, there is no reason why the bad actors cannot be kept at bay.