Treasurers Must Join the Fight against Cybercrime
The World Economic Forum (WEF) has estimated that failure to defend against cyber attacks will have an aggregate impact on the global economy of around US$3 trillion by 2020. Meanwhile, the Lloyd’s Risk Index in 2013 found that cyber risk is among the top concerns for more than 500 C-level executives around the world.

Indeed, 2014 was a bumper year for cybercriminals. The biggest US bank, JP Morgan, admitted a data breach affecting 6m households and 7m businesses. In the same year, South Korea lost the banking records of over 20m customers.

To date, the largest cyber attack in terms of the scale of damage - to reputation and data - was last December’s attack on Sony Pictures. Most of the company’s financial systems and other critical systems were disrupted or damaged for several weeks.

As the custodian of corporate funds, the treasury function plays a significant role in safeguarding the organization from cybercriminals intent on perpetrating financial crime, or causing operational losses and reputational damage.
Three Areas of Concern to Treasurers
Given the relentless pace at which the scale of cyber attacks has increased, organizations need to take urgent action to combat cybercrime. The treasury function has a role to play in three crucial areas:
  • Profit: Cybercrime can have an impact on company profits, due to data loss or manipulation of financial transactions and payments. Treasury needs to keep oversight on the protection of company ‘crown jewels’, such as data vaults and company funds.
  • Company Reputation: There has been a relentless rise in cyber terrorism, where hactivists target companies because of their business activities, business ethics or who their customers are. Successful cyber attacks could damage a company’s reputation with customers, regulators and partner organizations. In turn, the company’s operational revenues and costs may be affected.
  • Strategic Budgets: Treasury has to oversee the budgets and funding allocation for fighting cybercrime. This means dedicating increased budgets to the technology-focused first, second and third lines of defense in their companies. For example, investment in people, process and tools in the IT department (first line), IT risk management (second line) and IT audit (third line) can be increased.
Identifying What Needs to be Protected
Organizations should develop an information governance framework, to identify what needs to be protected.

Such a framework would comprise identifying information owners, understanding the information lifecycle, setting classification criteria and implementing suitable controls based on the sensitivity of the information.

As the custodian of the company’s investment, funding and strategic activities, the treasury function can take a lead in helping senior management identify the types of data which must be protected from cybercriminals.

Traditionally, the emphasis has been to protect customer data or personally identifiable information. However, cyber threat also extends to company-sensitive information such as funding, mergers and acquisitions (M&As), investment decisions and other strategic matters that are within the purview of the treasury function - either in a support role or as the lead.
An Organization-wide Approach
Having strategic insight into cyber risks and understanding the impact on your core business is paramount.

No plan is complete without accountability. While cyber security can be driven by the IT department, or the IT risk and security experts within the function, it is ultimately the responsibility of all within the organization as cyber attackers are intent on damaging or stealing business assets, corporate and customer information and disrupting business operations.

While the IT function must get the buy-in from the organization’s leaders, it is the treasury function that can take the lead to support IT through recognition of the impact of the cyber threat to company profits.

The treasury function can escalate the need for cyber vigilance to the board, which must demonstrate due diligence, ownership and effective management of cyber security risk.

Insufficient governance and risk management of third parties and business vendors may provide opportunities for hackers to explore loopholes in the system.

The treasury function should therefore ensure adequate funding has been allocated for the company’s risk functions to effectively manage information risk in terms of its interactions with external parties.

Lastly, an effective cyber security plan must take into account business continuity and crisis management. Is the company ready to minimize the impact, should a breach take place? Are communication processes set up to ensure timely and accurate information flow?
Going Beyond Technology
Having security tools integrated into the organization’s technology framework is essential as a starting point. However, tools cannot be a substitute for a coherent cyber security strategy.

The treasury function can help the company embrace an approach where a holistic and robust cyber security strategy drives the investment and selection of technological tools in the cyber defence toolbox. This is opposed to blindly investing in technology tools before figuring out the right process and people to integrate the whole.

While technology can play a key role in averting attacks, the human factor is the weakest link when it comes to prevention and must be addressed. Key staff must be properly trained so that they are sensitive to potential vulnerabilities. Effort must be made to develop a security culture.

For example, social engineering, where hackers manipulate employees to gain access to systems, remains one of the biggest risks that organizations face.

Spear phishing is the most common attack vector that is often used to gain entry to a company’s critical systems. Due to insufficient awareness of the methods and threats posed by cybercriminals, staff may fall prey to these cyber attacks, allowing the crafty cybercriminal to by-pass or undermine the IT security defenses in place.

Organizational methods to assess and report cyber security risks have to be developed. Protocols for determining risk levels and escalation procedures should be determined as well.
Data and Intelligence
The company’s risk functions must understand how threats and attacks evolve and learn how to anticipate them. What are the red flags? When should alarm bells start ringing?

For them to do so, intelligence is necessary. Treasurers should ensure that the company invests in threat intelligence - via partner organizations and vendors - so that it can analyze external and internal threat patterns to understand various threats. The company must also be fully aware of the short, medium and long-term risk implications.

Data is vital. The company must be able to collect and use the internal data available to get a complete picture of any unusual activities, data traffic and patterns of behavior. Often, organizations remain oblivious for months that their cyber security has been breached.

The use of data analytics and detection tools will allow companies to better detect and respond to incursions.

This insight may allow treasury to come to more sensible security investment choices, reducing overall cost. It will also allow the company to have a response plan ready to hand.
Conclusion
Organizations have been focused mostly on technology and preventive measures. Yet, the millions of dollars invested into cyber security systems have proven to be insufficient.

As a key enabler of the fight against cybercrime, the treasury function must take the lead to ensure that cybercrime and its potential impact to company reputation and profits is minimized.

Treasury can help to put cybercrime onto the board’s and senior management’s agenda for strategic direction, so that adequate investments are made across the various functions in the company to manage cyber risks.
The article was contributed by Daryl Pereira, Partner at KPMG in Singapore. The views expressed are his own.
© 2016 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.