EIU - Third-Party Risks - The Cyber Dimension PDF
EIU - Third-Party Risks - The Cyber Dimension PDF
EIU - Third-Party Risks - The Cyber Dimension PDF
CONTENTS
2 About this research
3 Executive summary
5 Chapter 1: Why treasury is a target
6 The top treasury scams
7 Business email compromise
9 Chapter 2: The vulnerabilities of treasury
9 Outsourcing and control issues
10 Third-party security
11 Chapter 3: The treasury response
12 Training and education
13 Working with IT
14 External validation
14 Industry variation
16 Conclusion
16 Create a security programme
16 Basic process improvements
16 Securing pay-to-procure
17 The human factor
17 Culture shift
l Catherine Fields, assistant treasurer and director of global risk management, Hitachi
Data Systems
The Economist Intelligence Unit bears sole responsibility for the content of this report.
The findings and views expressed in the report do not necessarily reflect the views of the
sponsor. This report was edited by Renée Friedman.
EXECUTIVE SUMMARY
Corporate treasury is now a top target for cyber-criminals. Treasury’s trove of personal
and corporate data, its authority to make payments and move large amounts of cash
quickly, and its often complicated structure make it an appealing choice for discerning
fraudsters.
The potential losses are huge. Hackers infiltrating individual companies have stolen tens
of millions of dollars in a single attack. The stock price of breached companies falls and
CEOs are sacked. Data losses create reputational damage and lawsuits from inside
and outside the company. Even mergers and acquisitions can be derailed or altered
in value to the tune of hundreds of millions of dollars, as in the case of telco Verizon’s
acquisition of internet company Yahoo!
Evidently, cyber-security is not an issue that treasurers can ignore. This report, written by
The Economist Intelligence Unit (EIU) and sponsored by Deutsche Bank, investigates the
state of treasury cyber-security and identifies what needs to be done to improve it.
Key findings
Our research found that most treasurers believe their companies are doing well at
implementing basic security measures. They have moved aggressively to strengthen
their cyber-defences by initiating penetration testing to check for internal and external
vulnerabilities, updating software systems to evade new lines of attack, and taking
steps to limit company network and data access to both employees and third parties.
Companies are also training employees on fraud.
However, our research also found serious gaps in corporate defence, including
vulnerabilities hidden within third parties and their subcontractors. Indeed, a significant
minority of respondent companies are missing some basic security precautions.
Nineteen percent of companies do not check whether their suppliers use the same
methods for identity authentication as they do. This leaves an open door for fraud.
According to 18% of companies surveyed, only a minority of clients and suppliers follow
the same or similar regulatory and compliance rules as they do.
Because 14% of companies do not insist that information security requirements which
currently apply to third parties also be extended to their subcontractors, they are giving
cyber-criminals the opportunity to steal data.
Only 38% of companies require all of their third parties and suppliers to perform
penetration testing. This may be risky, given the increasing number of data and other
network security breaches that have been reported.
Hackers are also aware that many companies still do not take cyber-security seriously. In
February 2017 consultancy Deloitte found that only 5% of FTSE 100 companies disclosed
having a director responsible for cyber risks.1 This suggests a worrying misalignment with
internal priorities, given that 71% of corporations identified IT systems failure among their
principal concerns, and 72% highlighted a cyber-attack as a risk.
Institutional investors are also increasingly worried about board commitment to cyber-
security. Legal and General Investment Management (LGIM), an asset management
firm, calls for compulsory cyber-audits.2 “Cyber-security is a significant risk to our investee
companies,” warns David Patt, senior analyst for corporate governance and public
policy at LGIM. “We are concerned that many responses we receive to this major
corporate risk are insufficient. Boards need to be more aware of their operational
environment and emerging threats to their business. Simply put, it can affect a
company’s value.”
Few firms are making the necessary investment: staffing levels and the seniority of chief
information security officers (CISOs) remain low. In most firms cyber-security is a nascent
competence with responsibilities spread over IT, business continuity, internal audit and
possibly a separate enterprise resource planning (ERP) team.
Certain factors make managing cyber-security especially difficult for treasurers. They are
neither fully responsible for ensuring that their departments cannot be compromised nor
completely in control of the systems, people and processes that lead to compromise.
Most treasuries are still to some extent decentralised, especially in their emerging-market 1
https://www2.deloitte.com/content/
operations. This has allowed hackers to exploit local teams and systemic fragmentation. dam/Deloitte/uk/Documents/audit/
deloitte-uk-governance-in-focus-cyber-
In its Global Treasury Benchmark 2017 Survey,3 consultancy PwC found that 67% of
risk-reporting.pdf
people involved in treasury processes do not report directly to the treasurer—such is the
level of outsourcing and the use of shared service centres (SSCs) in treasury. 2
https://uk.reuters.com/article/uk-
legal-general-cybersecurity-audit-
According to Gerrit-Willem Gramser, group treasurer at Dutch chemicals company Akzo idUKKBN0TJ0TS20151130
Nobel, “in general the most dangerous [problems] are localised operations, where staff
has too many roles which they carry out by themselves with no real checks or have local 3
https://www.pwc.com/gx/en/
services/audit-assurance/corporate-
tools. Sometimes the local tools themselves don’t have interfaces which are sufficiently
treasury-solutions/publications/
protected. We have mitigated that risk by deploying a central process and only using corporate-treasury-benchmarking-
SWIFT for our bank connectivity.” survey.html
Aashish Pitale, group treasurer at Indian industrial giant Essar Group, relies on international
vendors because, he says, “they will use the same systems globally, so I trust their systems
are prepared for cyber risks.” He believes that these international vendors have stronger
cyber-security and strengthen his own systems in terms of security robustness.
Finally, treasury is all about connectivity. It is a gateway into other core corporate
management information systems. If administrator rights in a treasury system can be
hijacked in one place, then it may be possible to access global ERP systems, global HR
systems, regional SSCs, payment factories and other key databases.
The criminals have figured all this out. Through extended reconnaissance they have
discovered that treasury remains badly protected because it often relies on systems
that were designed long before cybercrime was envisaged. Untrained treasury staff and
lethargic systems enable these criminals who face almost no prospect of capture and
spend only pennies to execute their attacks.
They can mount man-in-the-middle (MIM) attacks, in which they intercept real buyer/
4
https://www.ic3.gov/ supplier communications and send their own versions of invoices or payment instructions,
media/2017/170504.aspx spoofing the email address of the company owed the money, adding their own bank
details. This way, the buyer thinks they are sending their payment to the supplier, but
5
http://www.csoonline.com/
they are really sending it to a hacker.
article/3154714/security/ransomware-
took-in-1-billion-in-2016-improved-
In June 2015 Europol, the law enforcement agency of the EU, announced that it had
defenses-may-not-be-enough-to-stem-
the-tide.html dismantled a group of cyber-criminals active in Italy, Spain, Poland, the UK, Belgium and
Georgia, who used MIM fraud to steal €6m (US$7m), accumulated within a very short
time.
Another approach is to deliver ransomware which, if activated, can encrypt and delete
core data or disable key treasury or ERP systems. The criminals then demand money to
decrypt the data.
These attacks, known as BEC scams or CEO fraud, differ from spam-based malware
attacks, which generally carry ransomware. They use social engineering and inside
information gathered through reconnaissance to target specific individuals with
customised, believable (but fake) emails. This is also known as spear-phishing.
BEC fraud has claimed a number of high-profile victims. On August 16th 2016 Leoni, one
of the world’s leading wire and cable manufacturers, announced a loss amounting to
approximately €40m owing to a case of BEC fraud.
In an investor presentation later that year Leoni disclosed that what they called the “CEO
fraud” had used falsified documents and identities as well as electronic communication
channels and involved rule infringements by some staff. In mitigation, the company now
checks payment transactions more stringently and has introduced additional controls
and staff training. It has also instigated both internal and external reviews of its internal
control system (ICS), its IT security, its risk-management system and the internal audit
department.
In its 2015-16 financial report FACC disclosed that although it was able to stop the
transfer of €10.9m, “it is expected that the amounts frozen in receiving accounts will
not be reimbursed in the short term”. In addition, “the loss incurred by the company as
a result of the cyber fraud also led to an outflow of liquid funds totalling €52.8m and left
FACC with an operating loss of €23.4m”.
Data, as well as money, are a target for criminals. In February 2016 social video app
Snapchat issued a blog apologising to its staff after a spear-phishing attack had tricked
an HR employee into handing over payroll information about “some current and former
employees”.
This fraud demonstrates that seemingly innocuous requests for data can result in
significant damage. In addition, with new regulations, in particular the EU’s General
Data Protection Regulation (GDPR), which enters into force in May 2018, data privacy
will be backed up with fines of up to 4% of a company’s global turnover. That email of
employee tax details could have cost the company a great deal of money. Treasury,
and every other department, need to understand the wider context.
“IT environments within companies are changing all the time. And with all that
continuous change in every area, I think we can just see how a small oversight can easily
be created,” explains Mr Gramser of Akzo Nobel. “As soon as you have an oversight,
you have a weakness, and a weakness can be penetrated. The connectivity between
the different systems is typically the weakest link.”
Cyber-criminals have noticed. As well as core treasury processes such as payments, they
are increasingly targeting ERP systems. Not only are these interesting targets in their own
right, given the data they pull together, but they are also potential conduits into other,
critical business software.
© The Economist Intelligence Unit Limited 2017 9
THIRD-PARTY RISKS:
THE CYBER DIMENSION
The potential impact of an ERP compromise will vary depending on the user, the ERP
implementation and the cyber-security infrastructure the company has in place. But one
company has estimated that an ERP outage could cost US$22m per minute.7 This figure
reflects the fact that large companies don’t just run one instance of their ERP software
and that so many other business-critical systems rely on ERP systems. This outage cost
does not include the costs of exfiltrated data or the reputational risk of a breach.
Third-party security
Treasury can also be hacked via third-party relationships. The now infamous Bangladesh
Bank heist, which used a combination of techniques to steal US$81m from the country’s
central bank, illustrates that not even core payment systems are 100% secure and can
be used to commit fraud. In a blog post outlining the details of the hack, cyber-security
services provider BAE Systems concluded: “All financial institutions who run SWIFT Alliance
Access and similar systems should be seriously reviewing their security now to make sure
they too are not exposed.”8 The same advice holds true for corporate treasury.
One might assume that banks have a high level of security, but it is not enough to
assume. Mr Pitale of Essar Group believes that one of the necessary items for his treasury
is having a dealing trail. All lines are registered with the bank so that they know they are
only dealing with him, and cross-verification takes place on a different line to ensure the
data are correct.
Treasury departments must ask their bank questions about security and the money-
management systems as well as the portals they use. Key questions include: Do they use
a secure email system to protect confidential communications? Do they employ strong/
two-factor customer authentication? Do they offer the ability to check the IP address
of logins and match them with pre-assigned customer addresses? And do they look for
unusual patterns of behaviour in customer accounts? If not, then they are insecure at a
fundamental level.
7
https://www.onapsis.com/onapsis-
discovers-and-helps-mitigate-new-
critical-cyber-security-vulnerabilities-
affecting-all-sap
8
http://baesystemsai.blogspot.
co.uk/2016/04/two-bytes-to-951m.html
The risk posed by insecure third parties, which hackers can use as conduits into their
target organisation, is widely recognised. In many cases, this lesson has been hard won.
“We are all interconnected—suppliers, customers, subcontractors or manual payments
processor,” says Yves Gimbert, group treasurer of French utility company ENGIE. “I
would say we all face the consequences of the theory that we are all only as strong as
the weakest link. And the weakest link will be the one with a low corporate culture of
protection.”
Chart 1
Third-party authentication: the sectors with the lowest percentage of
authentication testing
(% respondents)
Manufacturing 43%
The share of companies actively bringing third parties into compliance with their own
standards ranges from 81% to 94% on several measures. But there are still open targets:
19% of companies do not check to see if their suppliers use the same authentication
strategy, which may conceal a gap in security protection by third parties.
It was obviously a scam to Mr Azie. “[The CEO] doesn’t ask me to move money,” he
explains. But the example underscores the need for employee training and education—
at every level of the organisation.
Chart 2
Employees by type receiving training by type on access to company
network server segments
(% respondents)
92%
77%
53%
47%
32%
22%
4% 7%
1%
Permanent Contractor Third-party
Source: The Economist Intelligence Unit.
According to the treasurers surveyed, companies are doing a good job in terms of
training. For example, 92% require formal training of permanent employees concerning
the extent of access to company network server segments.
Mr Gimbert of ENGIE notes that his company expanded its security procedures three
years ago, and today its training is co-ordinated between corporate treasury and
corporate IT security. This training includes cyber-security, phishing and malware. The
training focuses on treasury fraud, payment fraud and fraudulent attempts from people
posing as the company CEO or third parties receiving payments from the company. “As
threats constantly evolve, these training programmes must be repeated on a regular
basis,” he says.
Blind spots remain across the companies surveyed, however, especially with respect to
third parties. Nearly 48% of respondents say their third-party vendors provide informal
employee training on cyber risks associated with the company for which they are
working, while 7% provide no employee training, either formal or informal.
Working with IT
Perhaps the most important measure that treasurers can take is to maintain a healthy
collaboration with their IT and cyber-security teams. At ENGIE, the treasury is involved
in securing the company’s customer database, which contains records of some 15m
individuals, and its ability to collaborate with IT is essential, explains Mr Gimbert. “We
work hand in hand with the IT department as the company moves more data and more
functions to cloud-based solutions. Every new change that involves fraud or cyber risk
is audited and tested by the company’s IT function working in conjunction with the
treasury team.”
This need for collaboration is echoed by Mr Pitale of Essar Group. He has mandated that
an IT employee is physically located within the treasury department.
But the ability and inclination among treasurers to work with IT vary hugely. Ms Fields
is assistant treasurer at Hitachi Data Systems, but her role extends well beyond her
immediate department. “I am also our director of global risk management, which
means I also handle insurance,” she explains. As a result, she is deeply involved in cyber-
security. “I have a very broad-reaching perspective when it comes to cyber because
I am also responsible for making sure that I am comfortable with the level of coverage
that we have with respect to cyber-insurance. This means that I am working very closely
with IT on security issues.”
This organisational division is definitely a security concern for the company in question.
External validation
One of the ways in which treasury can co-operate with IT is in designing external tests
of their systems. Penetration (pen) testing is a common, basic technique in which
experts are hired to attack company systems from the inside and the outside to reveal
weaknesses.
Significantly, 33% of all companies do not conduct external pen testing. “This is where
corporates are probably falling a bit short,” says Ms Fields. “We tend to be more reactive
and defensive as opposed to getting out there working with our business partners as we
should, especially with anyone who has access to our network.”
All survey respondents report that their company has conducted some type of pen
testing, either internal only, external only or both internal and external. However, only
Chart 3
Sector variations in penetration testing regime
(% respondents)
Internal testing External testing Conduct both interal and external testing
25% 36%
60% 50%
25% 7%
8%
6%
20% 58%
50% 25%
42%
20% 13%
Chemicals Automotive Professional Transportation, Agriculture &
services travel & tourism agribusiness
Source: The Economist Intelligence Unit.
59% report that their companies have carried out both types of penetration testing. The
remaining firms are leaving themselves needlessly vulnerable.
To address this matter, Hitachi Data Systems has stepped up mutual efforts with third
parties to make sure that the right security measures are in place. Last year the company
hired its first CISO to oversee this effort to enhance security protection with third parties.
Chart 4
Penetration testing by third parties
(% of companies requiring pen testing by third parties)
We don’t ask 4%
Industry variation
Our survey also reveals substantial variance in the apparent sophistication of various
industries. While highly regulated industries are tackling cyber-security head-on, many
companies outside these sectors are not taking it as seriously as they should.
Only 44% of respondents in the construction and real estate industry say that a majority
of their suppliers do penetration testing. In the chemicals sector, 35% say a majority do.
By contrast, 89% of aerospace/defence sector companies report that all their third
parties and suppliers conduct penetration testing.
The survey also indicates that industries which are traditionally less digitised are also
less sophisticated when it comes to cyber-security. Repeat outliers in our survey are the
construction, manufacturing and agricultural sectors. This may be because they have
fewer digital assets to attack and more physical assets to focus on, but their treasury
assets are no less worthy of protection.
Chart 5
Sector variations in requiring third-party penetration testing
(% respondents)
89%
50%
44%
38% 35%
19%
10% 11%
5%
0% 0% 0%
Construction & real estate Chemicals Aerospace/defence
Source: The Economist Intelligence Unit.
CONCLUSION
A new generation of organised, sophisticated and economically driven cyber-criminals
has identified corporate payment processes as a source of low-risk profit. Treasurers may
own these processes, but they have a limited ability to counter cyber threats directly. So
what can treasurers do to ensure that treasury is not the cause of the next big cyber loss?
There are key areas for improvement.
l Banks which process the payments and provide electronic banking platforms;
l SWIFT and SWIFT bureaus which may provide bank connectivity solutions;
l BACS, EBICS, NACHA and other ACH bureaus and third parties which may provide
payment solutions;
l Centralise system access. Control and secure that access through strong
authentication. This is largely a central IT task, but treasury should ensure that its needs
are fully represented in the process and that IT understands treasury-specific security
measures such as SWIFT’s 3SKey;
l Make cash visible: fraud prevention relies on accurate knowledge of what money
should be where, and when;
Securing pay-to-procure
Perhaps most important, treasurers must ensure that control of the procurement process
takes cyber-security into account and that their area of the payment workflow is secure.
This requires the following measures:
l Ensure that the division of responsibility between treasury and procurement regarding
authentication and data protection is clear;
l Secure banking information and interfaces. For example, access to vendor master
data should be highly restricted;
l Ensure payment approval rights are clear, appropriately restrictive and regularly
audited, and reconcile all payments daily to spot any irregularities immediately;
l Isolate the treasury workstation from employee devices and other potential threat
sources.
l Mitigate the factors that may prompt an insider threat. What might motivate an
employee to steal from their employer, and how can it be addressed?
l Consider the use of external behavioural science consultants to review the potential
for insider dissatisfaction and threat;
l Look at systems and processes not simply from the perspective of their resilience to a
determined external attacker, but also to an insider who has the correct authorisation
and access to core systems but whose aim is theft or destruction of data.
Culture shift
Cyber-security requires a change of culture. Companies are designed to compete with
each other for customers and profits. In general, neither they nor their staff are equipped
to defend themselves against hostile, criminal attackers intent on intrusion, deception
and theft. Knowing about and recognising the tell-tale signs of fraud is one thing, but
maintaining the correct level of scrutiny of people and processes can lead to the
perception of a Big Brother environment. A balance has to be struck between a level
of monitoring that interferes significantly with the day-to-day running of the department
and an overly lax security environment that invites cyber-criminals.
NEW YORK
750 Third Avenue
5th Floor
New York, NY 10017
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 1181/2
E-mail: [email protected]
HONG KONG
1301 Cityplaza Four
12 Taikoo Wan Road
Taikoo Shing
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail: [email protected]
GENEVA
Rue de l’Athénée 32
1206 Geneva
Switzerland
Tel: (41) 22 566 2470
Fax: (41) 22 346 93 47
E-mail: [email protected]
DUBAI
Office 1301a
Aurora Tower
Dubai Media City
Dubai
Tel: (971) 4 433 4202
Fax: (971) 4 438 0224
E-mail: [email protected]