Cyber-security continues to top treasurers’ priority list. No surprise when security providers such as Symantec release figures showing that business email compromise (BEC) – or CEO fraud – is affecting more than 400 companies a day. In mid-2016 Symantec claimed that this type of fraud has claimed 22,000 victims around the world in the past three years, triggering losses of $3bn, and has now reached epidemic levels.
And it’s true, BEC fraud is a big problem. In August 2016, the Romanian subsidiary of Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, has announced it lost €40 million following a sophisticated BEC scam. Austrian company FACC lost €50 million a few months before.
In fact, the convergence of fraud and the digital world is leading to a ‘Model T’ moment in the industrialisation of fraud: digitalisation allows fraudsters to operate at a speed and scale previously undreamt of, and to purchase off-the-shelf kits for executing all the common forms of attack, complete with instructions and customer help desks.
But treasurers need to understand that cyber-security is as much about governance, regulation and compliance as it is about technology and clever hackers.
Governments and lawmakers largely care about consumer data. So the EU’s General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, is largely concerned with Personal Identifiable Data (PID). And it is the protection of personal data and general data privacy on which most jurisdictions focus.
To ensure companies act, the penalties under the GDPR are draconian. Breaches of some provisions by businesses can lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater. These numbers far exceed the kinds of fines previously levied by national regulators and those imposed by voluntary codes of conduct such as the PCI DSS run by the large credit card brands.
So while there are other significant cyber-risks – loss of commercially sensitive data, ransomware, share price and reputational impact of data breaches – the most significant is likely to be regulatory. It’s also the easiest to quantify and therefore to allocate resources to.
This is good news for treasury because it means that cyber-risk management is little different from other operational risks already managed.
First, just like the rest of treasury, it’s about basic process efficiency: visibility
Do you know what data you have; control: who has access to what; monitoring: can you see and influence the whole transaction chain in real time? And it’s about the application of established standards – for example ISO 27001.
Second, it is about compliance with reasonably detailed national and international laws and regulations
This is no different to the way corporates have to abide by international tax laws, KYC and AML regulations and a host of other regulations in finance and elsewhere (for example health and safety). The same basic operational concepts apply to cyber-risk management. Compliance by itself is not security, any more than it is effective risk management, but it is a way to put the foundations of security in place.
Third, it is about eliminating silos
Large organisations can have separate teams dedicated to KYC and AML, PCI DSS, GDPR/NIS, desktop security, network security, application security – the list goes on. And just as treasurers have learnt the costs of silos in finance and the underlying business, or between treasury, tax and procurement, so they will instantly recognize the dangers of silos in cyber security.
Finally, it is about people
As the BEC scam shows, as well as the other most likely forms of data breach or financial loss, most companies’ key vulnerability is their employees. The most cost effective way to prevent expensive cyber security incidents – aside from good basic IT hygiene – is education and training to create a culture that is resilient in the face of what is now the everyday occurrence of email-based cyber-attacks.
So, while there is clearly an IT element to ensuring cyber-security, the skills treasurers – and especially international treasurers - have built up over many years of building efficient, well-governed treasury processes and teams are exactly the same skills they need to see off the threat of cyber-attack.