On a manic Monday in July, several journalists awoke to find themselves in possession of unaired episodes of HBO’s popular Game of Thrones TV series. In a crudely written email hackers claimed that they had successfully infiltrated HBO and had stolen 1.5 terabytes of data from the media company. Demanding a ransom of six-month salary of the entire HBO organization the hackers soon started releasing unaired episodes of the show along with personal details of stars involved with the series.

 

While shocking and unprecedented it represented yet another attack on a major institution by hackers. In the financial services realm, hackers carried out the infamous Bangladesh Bank robbery in 2016. The bank heist involved false Swift messages being sent out with intentions to steal US$951 million from the central bank of Bangladesh. Though most of the transaction attempts were blocked, the hackers were still able to withdraw US$101 million for the Bangladeshi Bank account. According to BAE System’s Cyber Defense Monitor 2017, 75% of Asia-Pacific c-suite executives believe the number of cyberattacks will increase raising fear of more cyber trouble ahead.

 

Adhering to the growing threat of cyberattacks many companies around the world have begun investing in technologies and software to foil attacks. According to research firm Gartner, global spending on security products and services is predicted to reach US$86.4 billion in 2017, an increase of 7% from last year. MarketsandMarkets, another research firm, predicts that the size of the cybersecurity industry will grow 11% on average yearly to US$231.94 billion by 2022  from US$137.85 billion in 2017

 

It is clear that to fend off cybersecurity risks, the conversation should involve everyone in an organization, most especially the CFOs and treasurers. With a large amount of commercial transactions taking place electronically there is a growing probability fraudulent payment cases and disruption of treasury operations will emerge. 

 

Tasked with ensuring the financial health of the company many of these treasury professionals are just starting to factor in the financial consequences of a financial cyberattack on their organization.

 

“Organizations need to become aware that there is a problem here. There are a lot of companies that are still thinking it’s not going to happen to them. You are seeing this mind shift between different regions around the world,” shares Sean Duca, vice president and regional chief security officer for APAC at Palo Alto Networks, designer of firewalls and network security software.

 

Phishing or an attempt to obtain sensitive information via electronic channels is often the basic way hackers gain access into a company’s system. Other types of hacks include pretexting, bating, and tailgating all with a common objective of getting a user to reveal information about themselves.

 

According to a recent survey by Palo Alto Networks around 71% of Hong Kong companies admit that cyberattacks have become more sophisticated. “The sophistication is more around the timing and the approach,” explains Duca. “Don’t think that every attack out there is advanced and sophisticated. Because at the end of the day some of the largest breaches we have seen is due to someone reusing a user name and password multiple times across the organization.”

 

Financial regulators around Asia are placing a greater focus on the impact of a cyber financial attack. The Hong Kong Monetary Authority (HKMA) for example last year launched its Cybersecurity Fortification Initiative (CFI) in an effort to encourage awareness in the city’s financial sector. Under the scheme banks would have to self-evaluate their cyber defense measures, foster professional training on cybersecurity and have a cyber intelligence-sharing platform established.

 

Singapore likewise is placing the topic of financial cybersecurity under the spotlight. Late last year the Monetary of Authority of Singapore (MAS) forged a partnership with Financial Services Information Sharing and Analysis Centre to create an Asia-Pacific intelligence centre that will consolidate information about such attacks.

 

In terms of safeguarding a treasury function it all starts with a standardized process especially when it comes to making payments, says Paul Davis, regional chief financial officer Asia for Allianz Global Corporate and Specialty SE (AGCS).

 

“If we have standardized and well controlled processes we naturally reduce the potential for fraud. Where there are any non-standard processes they are flagged and scrutinized for security purposes,” he says. Technology has been in place a number of years to control treasury. You got to remember before technology was so prevalent there has always been a key awareness of paying the wrong person and fraud in financial payments.”

 

As well as dealing with outside cyber threats Davis also reminds companies to also keep track of any internal cyber risks coming from employees. They in particular could be the weakest internal point for an organization especially if they are not trained properly on processing sensitive information. A clear balanced segregation of duties for instance was cited as good measure against any internal issues.

 

“You need control over authority levels you basically shouldn’t give anybody more authority than you are willing to grant,” states Davis. “We have a system which is low-touch. With the advent of automation and restrictions on human intervention we can reduce internal fraud risk.”

 

EY’s Global Information Survey back in 2015 discovered that 44% of executives consider employees as the greatest cybersecurity vulnerability in their organization. As a result, there should be a greater collaboration between the IT department and staff especially when it comes to addressing proper cyber process.

 

“Our IT department provides reminder training emails occasionally to keep the topic of IT security fresh in people’s minds,” explains Dane Birdseye, group treasury and insurance manager at Cochlear Limited. “Staff need to be informed and aware to ensure that they are watching out for things that are suspicious. When something appears that is not normal we question it.”

 

Birdseye is seeing greater cooperation in battling cyber crimes. “It’s a joint responsibility among IT, internal audit, accounts payable and treasury to identify risks and create mitigation solutions,” he says. “Everyone should contribute to the  IT Security strategy through policies and procedures.”

 

Financial counterparties of a company such as banks should also be examined in order to determine any cyber holes within their systems. It wasn’t too long ago that Indian banks were the victim of a cyberattack that caused the State Bank of India to replace around 600,000 compromised debit cards. “For me everyone needs to learn from these cyber events,” Birdseye notes. “Banks are probably best placed to share that knowledge with their customer base. If they could provide information as to how a particular event occurred and what we should lookout for would be helpful.”

 

Normally dealing with factors such as liquidity risk and foreign exchange risk, treasury professionals need to start quantifying cyber risk as part of the overall risk management of a company. “I would suggest to executives and managers to sit down and work out whether the price of the data is correctly reflected on their balance sheet because if there is a subsequent loss or vulnerability of customer records you won’t have customers trust anymore,” highlights Davis.