Introduction from Nadya S Hijazi
Global Head of Digital, Global Liquidity and Cash Management and
Business Banking, HSBC
“Cyber threats that were previously unthinkable are now daily news”*. With the threat to treasury teams continuously morphing, finance professionals need to be well prepared. We partnered with Celent to explore this topical issue and have discovered that many treasury teams are not as prepared as they need to be.
The report highlights that a full 77% of organisations have not yet identified a cyber scenario that could affect them and over one third (37%) do not have an understanding of their exposure to cyber risk. To complicate matters, the research emphasises the key risk that all treasurers must grapple with: that cybercrime and the cyber fraud landscape are constantly shifting with an ever-growing range of attack mechanisms and increasingly sophisticated tools.
Two attack vectors in particular stand out: the use of ransomware and the rise of treasury fraud. Both are explored in this report, including specifically, how business email compromise and internal fraud remain key threats to treasurers.
As custodians of an organisation’s cash, treasurers have a key role to play in the fight against cybercrime. By being strategic about this issue, treasurers can go a long way to mitigating the threat. To help you, the report highlights some of the best practices that treasurers should adopt, including taking a risk based approach, better using technology and education and the role of insurance.
I hope you find this an informative read.
* Marsh & McLennan Cyber Handbook, 2016
Cybercrime and cyberfraud in the news
"The cyberthreats that many companies previously considered to be unthinkable are now daily news. To avoid becoming another headline, organisations must prepare for the worst — including the unthinkable."1
Many treasurers are tasked with understanding and mitigating cyber-risks. That is due in part to the fact that corporate treasurers’ responsibilities have expanded significantly in recent years to include management of the company’s complex risks, regulatory oversight, and treasury technology. Treasurers also have ultimate responsibility for many of the areas most commonly targeted by cybercriminals, including cash balances, global bank connectivity, high-value payments processing, and maintenance of repetitive payment instructions.
82% of treasurers cited cybersecurity as their number one concern 2
The treasury and finance professionals who the ACT’s annual survey cited “cybersecurity” as their number one concern (82%), followed by “other geographical uncertainty excluding Brexit” (69%), and financial markets volatility (67%). With breaches becoming more frequent and severe, it’s no surprise that treasurers are prioritising cybersecurity.
The report looks at how corporate treasury organisations can centralise, automate, and streamline management, technologies, processes, and controls for a sounder and more resilient cybersecurity and cyberfraud framework.
The Cybercrime and Cyberfraud Landscape
Even though the number of targeted cyberattacks is growing by double digits annually, many medium and large-sized corporations still do not devote sufficient resources to cyber-risk management.1
The state of cyber risk management at a glance
Source: 2017 Marsh/Microsoft Global Cyber Risk Perception Survey, Celent analysis
As shown in the above graphic, based on the Marsh/Microsoft Global Cyber Risk Perception Survey, 70% of organisations have not developed a cyber incident response plan, and 43% of organisations do not have board-level responsibility for the review and management of cyber-risk.
The cybercrime and cyberfraud landscape is constantly shifting, with a wider range of attack vectors and more sophisticated attack tools. The graphic below from digital identity provider ThreatMetrix details attack vectors across five major categories. Appendix 1 describes each of those categories.
Quickly evolving attack vectors
Source: ThreatMetrix Periodic Table of Cybercrime Attacks eBook, Celent analysis
In the Marsh/Microsoft Global Cyber Risk Perception Survey, organisations recognised a wide variety of threats arising from cyberattack vectors, with business interruption (75%) ahead of reputational loss (59%) as the number one threat deriving from loss scenarios. Recent high-profile cyberattacks, after which companies have seen their operations disrupted, have raised awareness of their capacity to impact daily business operations.
Which cyber loss scenarios present the greatest threats to your organisation?
Source: 2017 Marsh/Microsoft Global Cyber Risk Perception Survey, Celent analysis
Although the list of rapidly evolving attack vectors is a long one, two stand out. One, ransomware rose to prominence in 2017 and the other, treasury fraud, is a growing concern of finance professionals.
Focus on Ransomware
WannaCry, Petya, GoldenEye, CryptoLocker, Locky – ransomware is a constant presence in the 2017 news cycle. According to the Europol European Cybercrime Centre (EC3), ransomware is malware that locks your computer and mobile devices, or encrypts your electronic files, demanding that a ransom be paid (often using bitcoin) in order to regain control of your data.
Source: The 12 worst types of ransomware, John E Dunn, Computerworld UK, 27 June 2017
Ransomware can be downloaded through fake application updates or by visiting compromised websites. Malicious emails disguised as routine correspondence, such as invoices or delivery notifications, were the favoured means of spreading ransomware. In 2016 security firm Symantec detected 463,841 ransomware attacks with an average ransom amount of USD1,077, up from USD294 a year earlier.3
Bitcoin remains the currency of choice for the payment for criminal products and services in the digital underground economy and the Darknet. Bitcoin has also become the standard payment solution for extortion payments.
According to The Guardian, victims of WannaCry were asked to pay between USD300 (GBP228) and USD600 in ransom to unlock the files taken hostage. About 230,000 computers worldwide are believed to have been infected. After the May 2017 attack, hackers withdrew GBP108,000 of bitcoin ransom, as law enforcement tried to track owners’ bitcoin accounts by following the transactions in bitcoin’s blockchain distributed ledger.4
Focus on Treasury Fraud
Treasury-specific threats include payment fraud, supplier fraud, business email compromise, imposter fraud, ransomware, account takeover, and fake invoices and purchase orders.
According to the Association for Financial Professionals (AFP), after a period of substantial declines, payments fraud is on the increase.
Per cent of organisation that experienced attempted and/or actual payment fraud, 2006-2016
74% of finance professionals report that their companies were victims of payments fraud in 2016. This is the largest share on record, exceeding the previous record-high share of 73% in both 2009 and 2015, and significantly higher than the percentages reported between 2011 and 2014. It suggests that fraudsters are continuing to succeed in their attempts to attack organizations’ payment systems.5
The AFP says that 36% of respondents whose organisations experienced payments fraud report that the fraud attempts increased in 2016 compared to 2015. Not surprisingly, larger organisations with annual revenue of at least USD1 billion were more likely than smaller companies to have experienced an increase in fraud activity over the past year.
Analysing the AFP trend data, Celent calculates that the overall rise in payments fraud from 2013 to 2016 was largely driven by a 229% increase in wire fraud, the preferred payment method for Business Email Compromise (BEC) scams.
Trends in payments fraud activity
Source: 2017 AFP Payments Fraud and Control Survey
According to the AFP, the fact that wire fraud is being reported at an elevated level indicates that BEC scams, unfortunately, continue to be prevalent and effective.
Business Email Compromise
According to the US Federal Bureau of Investigation, Business Email Compromise (BEC) and Email Account Compromise (EAC) scams continue to grow, evolve, and target small, medium, and large businesses. BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The EAC targets individuals that perform wire transfer payments. As the techniques used in BEC and EAC scams have become increasingly similar, the IC3 began tracking these scams as a single crime type in 2017.
|October 2014-December 2016|
|40,203 Domestic and international incidents|
|131 Countries in which BEC/EAC has been reported|
|USD5.3 billion Total domestic and international exposed dollar loss|
|2,370% Increase in identified exposure losses between January 2015 and December 2016|
|USD72,000 Average loss per US victim|
|USD305,000 Average loss per non-US victim|
Source: US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA
Trend Micro’s 2017 Midyear Security Roundup indicates that US corporates should particularly be on alert. Thirty-one per cent of BEC scams so far in 2017 have been against companies in the United States, followed by Australia (27%), the UK (22%), Norway (5%), and Canada (3%).
Money mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the US. Upon direction, mules may open bank accounts and/or shell corporations to further the fraud scheme. IC3 also found that Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as prominent destinations.6
Based on complaints filed with the FBI Internet Crime Complaint Center (IC3), there are five main scenarios by which BEC and EAC fraud is perpetrated. Appendix 2 contains detailed descriptions of each of the categories.
|Business working with a foreign supplier||A business that typically has a long-standing relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account|
|Business executive receiving or initiating a request for a wire transfer||A request for a wire transfer from a business executive's compromised account is made to a second employee within the company who is typically responsible for processing these requests|
|Business contacts receiving fraudulent correspondence through compromised email||Requests for invoice payments to fraudster-controlled bank accounts are sent from a hacked employee's personal email account to multiple vendors identified from this employee's contact list|
|Business executive and attorney impersonation||Victims may be pressured by fraudsters identifying themselves as lawyers to act quickly or secretly in handling the transfer of funds, often timed to coincide with the close of business of financial institutions|
|Data theft||Fraudulent requests for W-2 or personally identifiable information (PII) data, using a business executive's compromised email, are used to impersonate targeted employees|
Source: US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA, May 4, 2017
According to the Association of Certified Fraud Examiners (ACFE), internal fraud, also called occupational fraud, occurs when an employee, manager, or executive commits fraud against their employer.
In the ACFE’s most recent global study of fraud cases, the total loss exceeded USD6.3 billion, with an average loss per case of USD2.7 million. The highest percentage of fraud cases involved asset misappropriation (83%), including false billing schemes, pilfering inventory, stealing payments in transit, and altering cheques. Descriptions of each of the categories can be found in Appendix 3.
Frequency and median loss of asset misappropriation schemes
Source: Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Study, ACFE
The ACFE also surveyed respondents about the steps fraudsters took to conceal their schemes. Creating and altering physical documents were the most common fraud methods, but fraudsters manipulated accounting system transactions, altered electronic documents, and deleted journal entries.
Fighting back: Who is doing what?
The fight against cybercrime is entering a new era of collaboration. A few examples include:
- In late 2016, officials from agencies in 30 countries – including the US Justice Department, Europol, and the United Kingdom's National Crime Agency – collaborated with private cybersecurity companies and academics to take down an extensive online criminal infrastructure called “Avalanche.” Criminals had been using the platform since 2009 to mount phishing attacks, distribute malware, shuffle stolen money across borders, and even act as a botnet in denial of service attacks.7
- In early 2016, law enforcement agencies bodies from Belgium, Denmark, Greece, the Netherlands, the United Kingdom, Romania, Spain, and Portugal – with further support from Moldova and other countries – joined forces in the first coordinated European action against money muling. The operation was also supported by Europol, Eurojust, and the European Banking Federation (EBF).8
- The United Kingdom is opting into a new intelligence-sharing programme with EU law enforcement agency Europol, in an effort to boost cross-border action against terrorism and cybercrime.9
- The Financial Services Information Sharing and Analysis Center (FS-ISAC) is extending its US charter to share information between financial services firms worldwide.10
There are six key interconnected and interrelated groups joining forces in various combinations to combat cybercrime and cyberfraud:
Strengthening regulatory framework eg EU Network and Information Security Directive, US Cybersecurity Act, EU General Data Protection Regulation (GDPR), ASEAN Cyber Capacity Programme (ACCP).
Increasing public/private collaboration between public agencies and with private security professionals eg No More Ransom!, European Money Mule Action, Shadowserver Foundation, and INTERPOL Global Complex for Innovation.
Comprehensive cybersecurity framework, periodic risk assessments, continuous monitoring, extensive controls, internal and customer education, and fraud prevention services including complimentary antivirus software, white list services, IP filtering, strong authentication, and payment change alerts.
Reinforcing SWIFT network security: SWIFT Customer Security Programme rules, attestation, and information sharing portal; Daily Validation Reports, and Payment Controls service (2018)
ECB Committee on Payments and Market Infrastructures (CPMI)/Board of the International Organization of Securities Commissions (IOSCO) guidance on cyber resilience, AICPA System and Organization Controls for Cybersecurity.
Incorporating emerging technologies such as behavioural analytics, artificial intelligence, risk scoring, behaviour-based profiling.
Celent believes that cybercrime and cyberfraud must be recognised as technology, operational, and business issues, not just an IT departmental mandate. Cybersecurity must be managed aligned to a firm’s enterprise risk and operational risk frameworks.
Taking a risk-based approach
As discussed in Treating Cyber-Risk as an Operational Risk (October 2016), a starting point for many organisations (including financial institutions) is to use the National Institute of Standards and Technology (NIST) framework as the foundation for more mature and sustainable cybersecurity management. The purpose of the framework is to elevate cyber-risk at the corporate level and to enable institutions:
Regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.11
The framework provides a structure and means to manage cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. The NIST framework is organised along five interconnected functions that are known across the industry as the Cyber Kill Chain: Identify, Protect, Detect, Respond, and Recover.
Implementing the key capabilities of the five NIST components delivers more effective cybersecurity management
Source: Celent analysis of the NIST Cybersecurity Framework
Enterprises can leverage technology to sustain a risk-based approach to cyber-risk management. This requires technologies that enable organisations to monitor complex and large volumes of data and run advanced data crunching analytics to identify potential vulnerabilities, incidents, and their impact. Very few firms should be going this alone; organisations need dedicated expert partners and advanced technical capabilities. Treating Cyber-Risk provides a sampling of cybersecurity technology vendors and consulting firms with solutions aligned to the NIST security framework, and highlights the importance of a layered approach to identifying, protecting, detecting, responding, and recovering to cyberthreats.
Sampling of cybersecurity technology vendors and consulting firms (not exhaustive)
Source: Celent. This is a selection of vendors and consultancy firms in the cybersecurity financial services space; no review or endorsement of products or services has been undertaken.
The layered approach is reflected in controls mandated by banking regulators. For example, since 2012 the FFIEC has required US financial institutions to implement a layered security programme for high-risk internet-based systems that include fraud detection and monitoring systems, multifactor authentication, enhanced controls over account activities, enhanced control over account maintenance activities, and enhanced customer education.12
Selection of the right security vendor, partner, and/or product is challenging not only because of the complexity of the vendor landscape, but also because the institution is not always certain of what it needs to protect. Siloed purchases, defensive purchases, or bowing to executive pressure to purchase the latest and greatest security tool have proven to be ineffective. The best way to avoid shelfware is to better educate the decision-makers on how breaches happen, why they are not addressed earlier, and what steps to prevent a breach. The focus should then become selecting the right expertise, issue, and then purchasing the right product.
At a tactical level, organisations can implement relatively straightforward policies to minimise ransomware and treasury fraud, two of the most prevalent risks facing organisations.
To prevent ransomware from being downloaded through fake application updates, visiting compromised websites, email attachments, or other malware, Europol’s EC3 advises the following measures:
Ransomware dos versus don'ts
Source: Ransomware: What You Need to Know, Europol and Check Point Technologies LTD, 15 December 2016
In its 2017 survey, AFP identified a variety of actions that corporates are taking to defend against attacks. The most frequent action taken is to perform daily reconciliations (74%). Other actions include restricting payments access to company-issued laptops, and not using mobile devices except for emergency situations.
Actions taken to defend against attackers that would compromise security
Source: 2017 AFP Payments Fraud and Control Survey
The most common defensive actions such as increasing the frequency of reconciliations or added security for access to bank services. Banking partners can help treasurers with implementing multifactor authentication, enabling multiple approvals, examining employee entitlements, and reviewing bank connectivity approaches.
Corporate treasurers can learn more about preventing cybercrime and cyberfraud from a number of sources including Interpol, Europol, FBI, National Security Agency (NSA), NIST, and their banking partners. Many banks maintain educational microsites, publish white papers, host webinars, or organise seminars on cybersecurity strategies and tactics.
As proactive cyber-risk management increases, the purchase of cyber risk insurance is also increasing. The MMC Cyber Handbook 2016 states that total annual cyber premiums have reached an estimated USD2 billion and may reach USD20 billion by 2025. The US remains the largest cyber insurance market; nearly 20% of all organisations have cyber insurance, and there are yearly increases in the number of companies purchasing cyber insurance, and increases in the limits.13Interest in cyber insurance is growing in other markets. For example, a recent Marsh survey of European Risk Managers found that nearly 25% planned to explore cyber insurance options over the next 24 months, and a survey of UK risk managers shows that 20% of companies are buying insurance.
The Path Forward
Boards and executive management need to look critically at the level of preparedness of their organisation for the increasing risk of cyberattacks and invest to close gaps.14
Cyber-risks are growing in terms of both their sophistication and the frequency of attacks. Fighting cybercrime and cyberfraud requires firms to address new and complex cyber-risk management challenges that will require specialised skills, but the basis of solid protection and robust management starts with leadership from the board and the recognition that cybersecurity is the responsibility of all staff. To set the cyber-risk posture of the organisation, the board and management must determine the balance of how much cyber-risk to accept, how much to spend mitigating the risk, and where to accept and mitigate it.
Six steps to managing cyber-risk: Number one is to start from the top
Source: Oliver Wyman
Overall governance must be sufficiently agile to manage for emerging threat factors, changing user behaviours, and new business opportunities. Institutions should seek to achieve a layered and risk-based approach to cybersecurity: one which goes beyond the technology aspects of cyberdefence and recognises that cyber-risk is an enterprise-wide concern. An organisation’s security strategy will be continually informed by behavioural analysis of risk data and the willingness to evaluate and introduce new cyber-risk management strategies and tactics.
1Go to Cyber Extremes: What to do when Digitalization Goes Wrong, Claus Herbolzheimer, MMC Cyber Handbook 2016, Marsh & McLennan Companies’ Global Risk Center
2The Business of Treasury 2017, Association of Corporate Treasurers (ACT), 2017
3Internet Security Threat Report, Volume 22, Symantec, April 2017
4WannaCry: hackers withdraw GBP108,000 of bitcoin ransom, Samuel Gibbs, The Guardian, 3 August 2017
52017 AFP Payments Fraud and Control Survey, Association for Financial Professionals
6US Federal Bureau of Investigation Public Service Announcement, Alert Number I-050417-PSA, 4 May 2017
7It Took 4 Years to Take Down “Avalanche,” a Huge Online Crime Ring; Lily Hay Newman, Wired, 2 December 2016
8Europe-wide Action Targets Money Mule Schemes, Europol press release, 1 March 2016
9UK opts in to new Europol intelligence-sharing programme, Helen Warrell, Financial Times, 14 November 2016
10About FS-ASAC, accessed 11 September 2017
11Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1, National Institute of Standards and Technology, 2017
12FFIEC Supplement to Authentication in an Internet Banking Environment. Financial Institution Letter FIL-50-2011, 29 June 2011
13Alex Wittenberg, The Evolving Cyber Risk Landscape, MMC Cyber Handbook 2016, Marsh & McLennan Companies’ Global Risk Center
14Paul Mee, Partner, Cyber Risk Management: Advancing the Conversation in the Boardroom, oliverwyman.com, accessed 15 September 2017
Copyright NoticeMore, collapsed
CELENT, A DIVISION OF OLIVER WYMAN, INC.
Copyright © 2017 Celent, a division of Oliver Wyman, Inc., which is a wholly owned subsidiary of Marsh & McLennan Companies [NYSE: MMC]. All rights reserved. This report may not be reproduced, copied or redistributed, in whole or in part, in any form or by any means, without the written permission of Celent, a division of Oliver Wyman (“Celent”) and Celent accepts no liability whatsoever for the actions of third parties in this respect. Celent and any third party content providers whose content is included in this report are the sole copyright owners of the content in this report. Any third party content in this report has been included by Celent with the permission of the relevant content owner. Any use of this report by any third party is strictly prohibited without a license expressly granted by Celent. Any use of third party content included in this report is strictly prohibited without the express permission of the relevant content owner This report is not intended for general circulation, nor is it to be used, reproduced, copied, quoted or distributed by third parties for any purpose other than those that may be set forth herein without the prior written permission of Celent. Neither all nor any part of the contents of this report, or any opinions expressed herein, shall be disseminated to the public through advertising media, public relations, news media, sales media, mail, direct transmittal, or any other public means of communications, without the prior written consent of Celent. Any violation of Celent’s rights in this report will be enforced to the fullest extent of the law, including the pursuit of monetary damages and injunctive relief in the event of any breach of the foregoing restrictions.
This report is not a substitute for tailored professional advice on how a specific financial institution should execute its strategy. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisers. Celent has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Information furnished by others, upon which all or portions of this report are based, is believed to be reliable but has not been verified, and no warranty is given as to the accuracy of such information. Public information and industry and statistical data, are from sources we deem to be reliable; however, we make no representation as to the accuracy or completeness of such information and have accepted the information without further verification.
Celent disclaims any responsibility to update the information or conclusions in this report. Celent accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages.
There are no third party beneficiaries with respect to this report, and we accept no liability to any third party. The opinions expressed herein are valid only for the purpose stated herein and as of the date of this report.
No responsibility is taken for changes in market conditions or laws or regulations and no obligation is assumed to revise this report to reflect changes, events or conditions, which occur subsequent to the date hereof.
This report was commissioned by HSBC Bank Plc. ("HSBC") at whose request Celent developed this research. The analysis, conclusions and opinions are Celent's alone, and HSBC had no editorial control over the report contents.
No responsibility or liability is accepted by HSBC for the contents of this report (including any errors of fact or omission or for any opinion expressed herein), for any reliance placed upon it, or for any loss or damage arising out of the use of all or part of this report.