Introduction from Nadya S Hijazi

    Global Head of Digital, Global Liquidity and Cash Management and
    Business Banking, HSBC


    Welcome

    “Cyber threats that were previously unthinkable are now daily news”*. With the threat to treasury teams continuously morphing, finance professionals need to be well prepared. We partnered with Celent to explore this topical issue and have discovered that many treasury teams are not as prepared as they need to be.

    The report highlights that a full 77% of organisations have not yet identified a cyber scenario that could affect them and over one third (37%) do not have an understanding of their exposure to cyber risk. To complicate matters, the research emphasises the key risk that all treasurers must grapple with: that cybercrime and the cyber fraud landscape are constantly shifting with an ever-growing range of attack mechanisms and increasingly sophisticated tools.

    Two attack vectors in particular stand out: the use of ransomware and the rise of treasury fraud. Both are explored in this report, including specifically, how business email compromise and internal fraud remain key threats to treasurers.

    As custodians of an organisation’s cash, treasurers have a key role to play in the fight against cybercrime. By being strategic about this issue, treasurers can go a long way to mitigating the threat. To help you, the report highlights some of the best practices that treasurers should adopt, including taking a risk based approach, better using technology and education and the role of insurance.

    I hope you find this an informative read.

    * Marsh & McLennan Cyber Handbook, 2016

    Celent Report

    Cybercrime and cyberfraud in the news

    Source: Various

    "The cyberthreats that many companies previously considered to be unthinkable are now daily news. To avoid becoming another headline, organisations must prepare for the worst — including the unthinkable."1

    Introduction

    Many treasurers are tasked with understanding and mitigating cyber-risks. That is due in part to the fact that corporate treasurers’ responsibilities have expanded significantly in recent years to include management of the company’s complex risks, regulatory oversight, and treasury technology. Treasurers also have ultimate responsibility for many of the areas most commonly targeted by cybercriminals, including cash balances, global bank connectivity, high-value payments processing, and maintenance of repetitive payment instructions.

    82% of treasurers cited cybersecurity as their number one concern 2

    The treasury and finance professionals who the ACT’s annual survey cited “cybersecurity” as their number one concern (82%), followed by “other geographical uncertainty excluding Brexit” (69%), and financial markets volatility (67%). With breaches becoming more frequent and severe, it’s no surprise that treasurers are prioritising cybersecurity.

    The report looks at how corporate treasury organisations can centralise, automate, and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity and cyberfraud framework.

    The Cybercrime and Cyberfraud Landscape

    Even though the number of targeted cyberattacks is growing by double digits annually, many medium and large-sized corporations still do not devote sufficient resources to cyber-risk management.1

    The state of cyber risk management at a glance

    Source: 2017 Marsh/Microsoft Global Cyber Risk Perception Survey, Celent analysis

    As shown in the above graphic, based on the Marsh/Microsoft Global Cyber Risk Perception Survey, 70% of organisations have not developed a cyber incident response plan, and 43% of organisations do not have board-level responsibility for the review and management of cyber-risk.

    The cybercrime and cyberfraud landscape is constantly shifting, with a wider range of attack vectors and more sophisticated attack tools. The graphic below from digital identity provider ThreatMetrix details attack vectors across five major categories. Appendix 1 describes each of those categories.

    Quickly evolving attack vectors

    Source: ThreatMetrix Periodic Table of Cybercrime Attacks eBook, Celent analysis

    In the Marsh/Microsoft Global Cyber Risk Perception Survey, organisations recognised a wide variety of threats arising from cyberattack vectors, with business interruption (75%) ahead of reputational loss (59%) as the number one threat deriving from loss scenarios. Recent high-profile cyberattacks, after which companies have seen their operations disrupted, have raised awareness of their capacity to impact daily business operations.

    Which cyber loss scenarios present the greatest threats to your organisation?

    Source: 2017 Marsh/Microsoft Global Cyber Risk Perception Survey, Celent analysis

    Although the list of rapidly evolving attack vectors is a long one, two stand out. One, ransomware rose to prominence in 2017 and the other, treasury fraud, is a growing concern of finance professionals.

    Focus on Ransomware

    WannaCry, Petya, GoldenEye, CryptoLocker, Locky – ransomware is a constant presence in the 2017 news cycle. According to the Europol European Cybercrime Centre (EC3), ransomware is malware that locks your computer and mobile devices, or encrypts your electronic files, demanding that a ransom be paid (often using bitcoin) in order to regain control of your data.

    Source: The 12 worst types of ransomware, John E Dunn, Computerworld UK, 27 June 2017

    Ransomware can be downloaded through fake application updates or by visiting compromised websites. Malicious emails disguised as routine correspondence, such as invoices or delivery notifications, were the favoured means of spreading ransomware. In 2016 security firm Symantec detected 463,841 ransomware attacks with an average ransom amount of USD1,077, up from USD294 a year earlier.3

    Bitcoin remains the currency of choice for the payment for criminal products and services in the digital underground economy and the Darknet. Bitcoin has also become the standard payment solution for extortion payments.

    According to The Guardian, victims of WannaCry were asked to pay between USD300 (GBP228) and USD600 in ransom to unlock the files taken hostage. About 230,000 computers worldwide are believed to have been infected. After the May 2017 attack, hackers withdrew GBP108,000 of bitcoin ransom, as law enforcement tried to track owners’ bitcoin accounts by following the transactions in bitcoin’s blockchain distributed ledger.4

    Focus on Treasury Fraud

    Treasury-specific threats include payment fraud, supplier fraud, business email compromise, imposter fraud, ransomware, account takeover, and fake invoices and purchase orders.

    Payments Fraud

    According to the Association for Financial Professionals (AFP), after a period of substantial declines, payments fraud is on the increase.

    Per cent of organisation that experienced attempted and/or actual payment fraud, 2006-2016

    74% of finance professionals report that their companies were victims of payments fraud in 2016. This is the largest share on record, exceeding the previous record-high share of 73% in both 2009 and 2015, and significantly higher than the percentages reported between 2011 and 2014. It suggests that fraudsters are continuing to succeed in their attempts to attack organizations’ payment systems.5

    The AFP says that 36% of respondents whose organisations experienced payments fraud report that the fraud attempts increased in 2016 compared to 2015. Not surprisingly, larger organisations with annual revenue of at least USD1 billion were more likely than smaller companies to have experienced an increase in fraud activity over the past year.

    Analysing the AFP trend data, Celent calculates that the overall rise in payments fraud from 2013 to 2016 was largely driven by a 229% increase in wire fraud, the preferred payment method for Business Email Compromise (BEC) scams.

    Trends in payments fraud activity

    Source: 2017 AFP Payments Fraud and Control Survey

    According to the AFP, the fact that wire fraud is being reported at an elevated level indicates that BEC scams, unfortunately, continue to be prevalent and effective.

    Business Email Compromise

    According to the US Federal Bureau of Investigation, Business Email Compromise (BEC) and Email Account Compromise (EAC) scams continue to grow, evolve, and target small, medium, and large businesses. BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The EAC targets individuals that perform wire transfer payments. As the techniques used in BEC and EAC scams have become increasingly similar, the IC3 began tracking these scams as a single crime type in 2017.

    BEC/EAC by the numbers
    October 2014-December 2016
    40,203 Domestic and international incidents
    131 Countries in which BEC/EAC has been reported
    USD5.3 billion Total domestic and international exposed dollar loss
    2,370% Increase in identified exposure losses between January 2015 and December 2016
    USD72,000 Average loss per US victim
    versus
    USD305,000 Average loss per non-US victim

    Source: US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA


    Trend Micro’s 2017 Midyear Security Roundup indicates that US corporates should particularly be on alert. Thirty-one per cent of BEC scams so far in 2017 have been against companies in the United States, followed by Australia (27%), the UK (22%), Norway (5%), and Canada (3%).

    Money mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the US. Upon direction, mules may open bank accounts and/or shell corporations to further the fraud scheme. IC3 also found that Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as prominent destinations.6

    Based on complaints filed with the FBI Internet Crime Complaint Center (IC3), there are five main scenarios by which BEC and EAC fraud is perpetrated. Appendix 2 contains detailed descriptions of each of the categories.

    Which Cyber loss scenarios present the greatest threats to your organisation?
    Business working with a foreign supplier A business that typically has a long-standing relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account
    Business executive receiving or initiating a request for a wire transfer A request for a wire transfer from a business executive's compromised account is made to a second employee within the company who is typically responsible for processing these requests
    Business contacts receiving fraudulent correspondence through compromised email Requests for invoice payments to fraudster-controlled bank accounts are sent from a hacked employee's personal email account to multiple vendors identified from this employee's contact list
    Business executive and attorney impersonation Victims may be pressured by fraudsters identifying themselves as lawyers to act quickly or secretly in handling the transfer of funds, often timed to coincide with the close of business of financial institutions
    Data theft Fraudulent requests for W-2 or personally identifiable information (PII) data, using a business executive's compromised email, are used to impersonate targeted employees

    Source: US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA, May 4, 2017

    Internal/Occupational Fraud

    According to the Association of Certified Fraud Examiners (ACFE), internal fraud, also called occupational fraud, occurs when an employee, manager, or executive commits fraud against their employer.

    In the ACFE’s most recent global study of fraud cases, the total loss exceeded USD6.3 billion, with an average loss per case of USD2.7 million. The highest percentage of fraud cases involved asset misappropriation (83%), including false billing schemes, pilfering inventory, stealing payments in transit, and altering cheques. Descriptions of each of the categories can be found in Appendix 3.

    Frequency and median loss of asset misappropriation schemes

    Source: Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Study, ACFE

    The ACFE also surveyed respondents about the steps fraudsters took to conceal their schemes. Creating and altering physical documents were the most common fraud methods, but fraudsters manipulated accounting system transactions, altered electronic documents, and deleted journal entries.

    Fighting back: Who is doing what?

    The fight against cybercrime is entering a new era of collaboration. A few examples include:

    • In late 2016, officials from agencies in 30 countries – including the US Justice Department, Europol, and the United Kingdom's National Crime Agency – collaborated with private cybersecurity companies and academics to take down an extensive online criminal infrastructure called “Avalanche.” Criminals had been using the platform since 2009 to mount phishing attacks, distribute malware, shuffle stolen money across borders, and even act as a botnet in denial of service attacks.7
    • In early 2016, law enforcement agencies bodies from Belgium, Denmark, Greece, the Netherlands, the United Kingdom, Romania, Spain, and Portugal – with further support from Moldova and other countries – joined forces in the first coordinated European action against money muling. The operation was also supported by Europol, Eurojust, and the European Banking Federation (EBF).8
    • The United Kingdom is opting into a new intelligence-sharing programme with EU law enforcement agency Europol, in an effort to boost cross-border action against terrorism and cybercrime.9
    • The Financial Services Information Sharing and Analysis Center (FS-ISAC) is extending its US charter to share information between financial services firms worldwide.10

    There are six key interconnected and interrelated groups joining forces in various combinations to combat cybercrime and cyberfraud:

    Interconnected and Interrelated Groups Joining Forces
    REGULATORS
    Strengthening regulatory framework eg EU Network and Information Security Directive, US Cybersecurity Act, EU General Data Protection Regulation (GDPR), ASEAN Cyber Capacity Programme (ACCP).
    LAW ENFORCEMENT
    Increasing public/private collaboration between public agencies and with private security professionals eg No More Ransom!, European Money Mule Action, Shadowserver Foundation, and INTERPOL Global Complex for Innovation.
    FINANCIAL INSTITUTIONS
    Comprehensive cybersecurity framework, periodic risk assessments, continuous monitoring, extensive controls, internal and customer education, and fraud prevention services including complimentary antivirus software, white list services, IP filtering, strong authentication, and payment change alerts.
    FINANCIAL NETWORKS
    Reinforcing SWIFT network security: SWIFT Customer Security Programme rules, attestation, and information sharing portal; Daily Validation Reports, and Payment Controls service (2018)
    INDUSTRY GROUPS
    ECB Committee on Payments and Market Infrastructures (CPMI)/Board of the International Organization of Securities Commissions (IOSCO) guidance on cyber resilience, AICPA System and Organization Controls for Cybersecurity.
    TECHNOLOGY PROVIDERS
    Incorporating emerging technologies such as behavioural analytics, artificial intelligence, risk scoring, behaviour-based profiling.

    Source: Celent.

    Best Practices

    Celent believes that cybercrime and cyberfraud must be recognised as technology, operational, and business issues, not just an IT departmental mandate. Cybersecurity must be managed aligned to a firm’s enterprise risk and operational risk frameworks.

    Taking a risk-based approach

    As discussed in Treating Cyber-Risk as an Operational Risk (October 2016), a starting point for many organisations (including financial institutions) is to use the National Institute of Standards and Technology (NIST) framework as the foundation for more mature and sustainable cybersecurity management. The purpose of the framework is to elevate cyber-risk at the corporate level and to enable institutions:

    Regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.11

    The framework provides a structure and means to manage cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. The NIST framework is organised along five interconnected functions that are known across the industry as the Cyber Kill Chain: Identify, Protect, Detect, Respond, and Recover.

    Implementing the key capabilities of the five NIST components delivers more effective cybersecurity management

    Source: Celent analysis of the NIST Cybersecurity Framework

    Leveraging Technology

    Enterprises can leverage technology to sustain a risk-based approach to cyber-risk management. This requires technologies that enable organisations to monitor complex and large volumes of data and run advanced data crunching analytics to identify potential vulnerabilities, incidents, and their impact. Very few firms should be going this alone; organisations need dedicated expert partners and advanced technical capabilities. Treating Cyber-Risk provides a sampling of cybersecurity technology vendors and consulting firms with solutions aligned to the NIST security framework, and highlights the importance of a layered approach to identifying, protecting, detecting, responding, and recovering to cyberthreats.

    Sampling of cybersecurity technology vendors and consulting firms (not exhaustive)

    Source: Celent. This is a selection of vendors and consultancy firms in the cybersecurity financial services space; no review or endorsement of products or services has been undertaken.


    The layered approach is reflected in controls mandated by banking regulators. For example, since 2012 the FFIEC has required US financial institutions to implement a layered security programme for high-risk internet-based systems that include fraud detection and monitoring systems, multifactor authentication, enhanced controls over account activities, enhanced control over account maintenance activities, and enhanced customer education.12

    Selection of the right security vendor, partner, and/or product is challenging not only because of the complexity of the vendor landscape, but also because the institution is not always certain of what it needs to protect. Siloed purchases, defensive purchases, or bowing to executive pressure to purchase the latest and greatest security tool have proven to be ineffective. The best way to avoid shelfware is to better educate the decision-makers on how breaches happen, why they are not addressed earlier, and what steps to prevent a breach. The focus should then become selecting the right expertise, issue, and then purchasing the right product.

    Minimising Risk

    At a tactical level, organisations can implement relatively straightforward policies to minimise ransomware and treasury fraud, two of the most prevalent risks facing organisations.

    Ransomware

    To prevent ransomware from being downloaded through fake application updates, visiting compromised websites, email attachments, or other malware, Europol’s EC3 advises the following measures:

    Ransomware dos versus don'ts

    Source: Ransomware: What You Need to Know, Europol and Check Point Technologies LTD, 15 December 2016

    Treasury Fraud

    In its 2017 survey, AFP identified a variety of actions that corporates are taking to defend against attacks. The most frequent action taken is to perform daily reconciliations (74%). Other actions include restricting payments access to company-issued laptops, and not using mobile devices except for emergency situations.

    Actions taken to defend against attackers that would compromise security

    Source: 2017 AFP Payments Fraud and Control Survey

    The most common defensive actions such as increasing the frequency of reconciliations or added security for access to bank services. Banking partners can help treasurers with implementing multifactor authentication, enabling multiple approvals, examining employee entitlements, and reviewing bank connectivity approaches.

    Education

    Corporate treasurers can learn more about preventing cybercrime and cyberfraud from a number of sources including Interpol, Europol, FBI, National Security Agency (NSA), NIST, and their banking partners. Many banks maintain educational microsites, publish white papers, host webinars, or organise seminars on cybersecurity strategies and tactics.

    Cybersecurity Insurance

    As proactive cyber-risk management increases, the purchase of cyber risk insurance is also increasing. The MMC Cyber Handbook 2016 states that total annual cyber premiums have reached an estimated USD2 billion and may reach USD20 billion by 2025. The US remains the largest cyber insurance market; nearly 20% of all organisations have cyber insurance, and there are yearly increases in the number of companies purchasing cyber insurance, and increases in the limits.13Interest in cyber insurance is growing in other markets. For example, a recent Marsh survey of European Risk Managers found that nearly 25% planned to explore cyber insurance options over the next 24 months, and a survey of UK risk managers shows that 20% of companies are buying insurance.

    The Path Forward

    Boards and executive management need to look critically at the level of preparedness of their organisation for the increasing risk of cyberattacks and invest to close gaps.14

    Cyber-risks are growing in terms of both their sophistication and the frequency of attacks. Fighting cybercrime and cyberfraud requires firms to address new and complex cyber-risk management challenges that will require specialised skills, but the basis of solid protection and robust management starts with leadership from the board and the recognition that cybersecurity is the responsibility of all staff. To set the cyber-risk posture of the organisation, the board and management must determine the balance of how much cyber-risk to accept, how much to spend mitigating the risk, and where to accept and mitigate it.

    Six steps to managing cyber-risk: Number one is to start from the top

    Source: Oliver Wyman


    Overall governance must be sufficiently agile to manage for emerging threat factors, changing user behaviours, and new business opportunities. Institutions should seek to achieve a layered and risk-based approach to cybersecurity: one which goes beyond the technology aspects of cyberdefence and recognises that cyber-risk is an enterprise-wide concern. An organisation’s security strategy will be continually informed by behavioural analysis of risk data and the willingness to evaluate and introduce new cyber-risk management strategies and tactics.


    1Go to Cyber Extremes: What to do when Digitalization Goes Wrong, Claus Herbolzheimer, MMC Cyber Handbook 2016, Marsh & McLennan Companies’ Global Risk Center

    2The Business of Treasury 2017, Association of Corporate Treasurers (ACT), 2017

    3Internet Security Threat Report, Volume 22, Symantec, April 2017

    4WannaCry: hackers withdraw GBP108,000 of bitcoin ransom, Samuel Gibbs, The Guardian, 3 August 2017

    52017 AFP Payments Fraud and Control Survey, Association for Financial Professionals

    6US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA, 4 May 2017

    7It Took 4 Years to Take Down “Avalanche,” a Huge Online Crime Ring; Lily Hay Newman, Wired, 2 December 2016

    8Europe-wide Action Targets Money Mule Schemes, Europol press release, 1 March 2016

    9UK opts in to new Europol intelligence-sharing programme, Helen Warrell, Financial Times, 14 November 2016

    10About FS-ASAC, accessed 11 September 2017

    11Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1, National Institute of Standards and Technology, 2017

    12FFIEC Supplement to Authentication in an Internet Banking Environment. Financial Institution Letter FIL-50-2011, 29 June 2011

    13Alex Wittenberg, The Evolving Cyber Risk Landscape, MMC Cyber Handbook 2016, Marsh & McLennan Companies’ Global Risk Center

    14Paul Mee, Partner, Cyber Risk Management: Advancing the Conversation in the Boardroom, oliverwyman.com, accessed 15 September 2017

    Copyright Notice

    More, collapsed
    Artificial intelligence needs new technologies
    Voice command, logic chips and optical 5G networks will drive AI
    Join the conversation?

    Join our Linkedin group to get an unparalleled view of macro and microeconomic events and trends from a bank that is a leader in both developed and emerging markets.