How to address cyber vulnerabilities in corporate treasury

It is now common knowledge that cyber-criminals have their scopes trained on the corporate treasury – with many commentators agreeing it is simply a matter of time before a treasury department falls victim to a cybercrime.

It’s easy to see why treasuries are such an attractive target. Once inside, cyber-criminals are able to move large amounts of cash fast – as well as tap into rich repositories of valuable and sensitive client data. Cybercrime is now estimated to cost the global economy more than USD 400 bln a year and is expected to rise to USD 2.1 trn by 2019.

Many companies have moved aggressively to shore up their defences. Investment in new technologies such as two-factor authentication and penetration testing, for instance, has been widespread, but evidence from a recent Deutsche-Bank-sponsored study by the Economist Intelligence Unit suggests that other key areas are often still being neglected – including the risks associated with third parties and employee errors. The same report notes that according to FBI data, between 2013 and December 2016, cyber-criminals stole USD 5.3 trn in 40,000 cases from US and international businesses.

Mitigating the risk from insecure third parties

Third parties, such as suppliers and subcontractors, are an obvious area of risk. Sensitive data is inevitably shared with external agencies in order to ensure they can provide necessary support, but this comes with strong security implications. It is surprising, then, that 19% of companies surveyed by the Economist Intelligence Unit admitted they do not check if their suppliers use the same methods for identity authentication as they do, while 14% do not insist that information security requirements for third parties are equally applied to their subcontractors. Lax practices of this kind will need to change – and fast – to avoid rolling out the red carpet for would-be fraudsters.

Perhaps most worrying of all, however, is that, while 92% of corporates now perform internal penetration testing, 33% do not conduct external testing. Equally, only 38% of companies require their third parties and suppliers to perform penetration testing of their own.

These vulnerabilities open treasuries to the risk of so-called man-in-the-middle (MIM) attacks, in which hackers intercept buyer-supplier communications via forged email accounts and send amended invoices and payment instructions to direct funds to their own accounts. To avoid this, corporates will have to ask their suppliers and partners crucial questions about their security and money-management systems, as well as the portals they use.

Understanding the human risk

One of the preferred tactics of online fraudsters is to use an employee’s insider status as a fast track to vital security information. Without the proper training, it is easier than many expect for employees to be “phished” or otherwise hoodwinked into handing over sensitive data to criminals, especially as email hoaxes become increasingly sophisticated and convincing.

Often this kind of deception is carried out under the guise of a third-party employee – perhaps requesting funds be paid into a new account. Corporates must ensure that their employees can identify these imposters and know how to deal with them.

Companies must also be wise to the prospect of the “malicious insider”. Individuals with the motivation to destroy or steal sensitive data are a particular risk if they already have the necessary permission to use it.

Whether the threat is internal or external, training is required so that employees are able to identify both transactional and behavioural irregularities that point to fraud. Particular attention must be devoted to spotting internal threats – as well as to the motivations behind such threats and the best means of addressing them.

Working with banking partners

Banks, too, have a role to play here – not least as custodians of crucial corporate data themselves. As with their other counterparties, corporates must be sure that their banks are responsible with their data. Of course, many banks are market leaders in this respect – and the best banking partners will readily share their expertise with both their employees and their clients in order to avoid common errors and ensure maximum safety.

Deutsche Bank, for example, has mandated information security training right across the bank. This involves the bank’s Chief Information Security Office training employees to recognise aberrations in client transactions and colleagues’ behaviour – creating a secondary “human firewall” beyond the protection of digital systems themselves. 

Learning from this kind of example and working together with banks to develop more robust defence strategies is a must for corporates as they face up to the realities of cybercrime. While key gaps have been plugged, others remain. It’s an abidance not to be abided.

About Michael Spiegel

Michael Spiegel is the Head of Cash Management and the Regional Head of Global Transaction Banking (GTB) Germany at Deutsche Bank. As Head of Cash Management, Michael is globally responsible for Cash and Liquidity Management solutions as well as related Foreign Exchange Management for Corporates and Financial Institutions. With nearly thirty years of professional experience at Deutsche Bank), Michael has been instrumental in the strategic development and growth of the bank’s international corporate banking proposition.

About Deutsche Bank

Deutsche Bank provides commercial and investment banking, retail banking, transaction banking and asset and wealth management products and services to corporations, governments, institutional investors, businesses, and private individuals. Deutsche Bank is Germany’s leading bank, with a strong position in Europe and a significant presence in the Americas and Asia Pacific.