Part 1 The short-term: dealing with heightened cyber risk
As the global Covid-19 pandemic took hold, treasury teams implemented business continuity plans, secured liquidity, and in countries where lockdowns were imposed, set up new ways of working remotely for employees. This dramatic shift from working in an office to working from home affected thousands of organisations and millions of employees.
Because of remote working, firms have had to find creative ways to collaborate and engage with team members, clients and third party suppliers, turning to digital ecosystems and messaging platforms. Digital technologies such as virtual private networks (VPNs), videoconferencing, voice over internet, cloud and work collaboration tools played an important role in enabling this shift. Additionally, organisations started exploring different ways of exchanging information by using APIs and third party software-as-a-service (SaaS) platforms that offer secure workspaces.
At the same time, more firms embraced e-commerce, extending distribution channels and for some, enabling online transactions for the first time. Many organisations that had not previously used digital channels, rushed to implement these, adding more users and services, and moving away from the paper-based banking experience.
Some organisations quickly pivoted to outsourcing critical treasury operations to banks, such as accounts payable, as a duty of care for its employees who were unable to physically make the payments themselves. This required rapidly setting up digital workflows with banking partners, as well as ways to maintain oversight and control of outsourced activity.
The pandemic is a tipping point: organisations now realise that they can no longer delay their digital journey; treasury teams recognise the efficiencies that digitisation delivers and also are more conscious about cybersecurity. Risks are inherent in any activity and to mitigate them, firms should seek the right partners who can increase their understanding of cybersecurity and the precautions they must take.
HSBC itself had, within ten days, strengthened the capacity of its virtual private network (VPN) in the UK to enable around 60,000 staff to work remotely.
Immediate considerations for organisations wanting to build cybersecurity resilience are:
Before an organisation does anything, it must demystify cybersecurity, educating treasury teams about their roles and responsibilities. Cybersecurity is not an issue that should be left to the ‘professionals’
88 per cent of attacks come into an organisation via internal staff, according to the UK Information Commissioner’s Office (ICO)
Everyone within an organisation must be aware of the risks and what to look out for. Treasury teams should also talk to their banks about the cyberattacks they are seeing and what precautions can be taken to prevent similar attacks in their organisation.
Giving staff a checklist of points to remember, which can be updated to reflect current threats, will supplement these education efforts. Such points could include:
- A bank officer will never phone you and ask for your security credentials
- If a supplier asks you to change their sort code and account number, do not do it on the basis of an email. Always phone your contact to check
- Do not assume the person you are conversing with in an email or on the phone is the person you think it is. Always check
- Never click on a hyperlink or attachment within an email.
Culture and the human factor:
Given that 88 per cent of cyberattacks are the result of human error, ensuring cybersecurity procedures are understood and regularly updated is imperative. While staff at some firms are returning to their offices, many other organisations will continue to operate on a remote basis for the foreseeable future.
Cybercriminals are sophisticated – it is their role to fool people. While a treasury team may employ technology such as artificial intelligence to monitor activity and spot unusual transactions, if a member of the team believes they are creating a valid payment, the technology will not always help.
In the UK, the Confirmation of Payee procedure has been introduced to strengthen authentication1. The procedure is designed to give greater assurance that payments are being made to the intended recipient by checking the beneficiary name and account number before payment is made.
This step is not a ‘one shot’ solution; the cybersecurity culture of an organisation is something that must be reviewed and updated on a continuous basis as circumstances change.
Part 2 Locking-in the lockdown lessons – measures for the medium term
Once an organisation has laid the foundations of cybersecurity education and culture, it can look to implement more detailed steps to create contingency procedures in the event of a cyber attack.
Conduct a cybersecurity and business process audit: Review and evaluate changes to policies, processes and tools made during the early days of the pandemic, when the primary focus was to enable the business to become operational quickly. Treasurers should review the actions taken at the start of the pandemic and identify any potential security weak spots that need to be addressed. Additionally, review service levels that were received from banks during the pandemic, to determine whether there were gaps or expectations that were not met satisfactorily.
Work with your banks to identify how existing processes need to shift, and which areas of potential weakness were uncovered during the height of the pandemic. Where there is an opportunity to improve processes, ensure that these are regularly reviewed and updated to address the constantly changing risk environment.
Enhance the BCP: Most BCPs would not have included provisions for widespread remote working and the heightened cybersecurity risk that accompanied it. Improving a BCP should focus on three elements:
|Secure home working||Secure corporate infrastructure||Secure treasury processes|
Conduct counterparty risk assessment: As cyberattacks increased during the pandemic, it is more likely that the infrastructure of counterparties may have been compromised. In an ever-more interconnected world, firms should consider conducting a full counterparty cybersecurity risk assessment. Elements to consider include:
- Embed third-party risk management into onboarding and ongoing management processes
- Ensure open communication with third parties whose systems are embedded in treasury systems so treasury teams can be quickly informed of any attack and take appropriate action to protect their own systems from contamination
- Contracts with third parties should include an obligation to notify the treasury team in the event of a cyberattack
- Implement a ‘kill switch’ in the treasury system for third-party applications that will enable treasury teams to disable a compromised connection
- Implement regular penetration testing conducted by independent third parties
- Talk to banking partners and FinTechs about the frameworks that are applied to cybersecurity. As regulated entities, banks should have a multi-layered security architecture
- For financial institutions, evaluate a correspondent bank’s cybersecurity investment, risk appetite and staff and customer policies in force, to guage the level of preparedness for attacks. Consider approaching counterparty cybersecurity risk assessment with the same level of rigour applied to counterparty credit risk assessment.
Establish cybersecurity governance: Cybersecurity governance begins with a specialist person or team who should develop a set of policies and procedures for the organisation. Once those have been established, a control framework that sets standards for the organisation can be built. This might include a provision that the organisation always uses end-to-end encryption, for example. A long list of policies and procedures needs to be in place both at the technology level and also within the treasury team itself. These will set controls, over which there should be independent oversight. Such oversight should include regular spot checks.
Part 3 Resilience and looking to the longer-term
The pandemic exposed shortcomings in cybersecurity for many organisations. Looking to the long-term, companies should focus on building cyber-resilience, baking cybersecurity into their digital transformation agenda.
|Create a cybersecurity culture||Cybersecurity by design||Future-proofing and securing treasury infrastructure|
Part 4 Looking back to move forward – support in a rapidly changing world
The network of the future, where remote connections are the norm, has arrived faster than anyone expected due to Covid-19. The financial services sector has responded with speed and resilience, making use of telecommunications infrastructure and tools to empower remote workers, launch digital services and scale contact centre capabilities to stay connected with their customers—all on a foundation of highly secure remote access. Going forward, we urge financial sector organisations of all sizes to consolidate these gains and enable future business growth by taking a holistic approach to security that spans people, process and technology.
– Bernard Yee, Region President, Asia Pacific & Canada, AT&T
The Covid-19 pandemic has highlighted the never-ending threat of cyberattack. The rise in attacks during the pandemic demonstrated that cybercriminals are relentless in their attempts to exploit weaknesses in organisations’ security.
HSBC recognises that cybersecurity is not solely a technology issue – it also involves people. By embedding cybersecurity controls end-to-end into our applications we can move quickly in delivering secure services to our clients, while also protecting the bank itself. As a regulated entity, we have also committed to regulators to constantly educate our clients on cybersecurity and how they can protect their organisations.
HSBC takes cybersecurity seriously, recognising our responsibilities to continually invest in cybsecurity technologies and processes to build a cybersecurity-aware culture, embedded in its processes. Additionally, HSBC works closely with clients, highlighting the risks to consider and the best practice to mitigate such risks.
HSBC’s global expertise allows it to harness cybersecurity best practices from offices around the world. This is enabling the bank to continually create the best environment possible for the bank and its clients to guard against cyber threats and attacks.
The pandemic has pushed remote connectivity up the agenda for corporations at a time when the advent of 5G technologies promises to deliver greater capabilities. US telecommunications giant AT&T, which formed a Cybersecurity business unit, says corporations can take a “proactive” stance by anticipating the security requirements that come with 5G2.
Many of the likely cyber attacks on 5G networks will be the same as those encountered today, relying on familiar vulnerabilities and known attack methods. By strengthening existing defences and continually updating processes and cyber defence education, corporations can help mitigate the risks associated with the new technology.
Creating a 5G security posture means understanding the potential for new threats and putting up the right tools for asolid defence, says AT&T.
From reaction to action – responsiveness and resilience in a pandemic
Building cyber resilience
The short-term reaction – building cyber resilience
A shift to digital channels
Remote working and rise in e-commerce highlighted importance of digital transformation
Increased awareness of cybersecurity
Treasury teams more conscious of cyber risks
Education and the human factor
Ensuring staff know their roles, responsibilities and procedures
Locking-in the lockdown lessons – measures for the medium term
Building on the foundations of cybersecurity education and culture, treasury teams should put in place contingency procedures to mitigate the risks arising from a cyberattack
Cybersecurity and business process audit
Review and evaluate changes to policies, processes and tools, identify potential security weaknesses. Review bank service levels to address constantly changing risk environment
Enhance the BCP
Include provisions for remote working and heightened cybersecurity risk. Focus on securing 3 elements – home working, corporate infrastructure and treasury processes
Counterparty risk assessment
In an ever-more interconnected world, firms should consider conducting a full counterparty cybersecurity risk assessment
Deploy specialists to develop policies and procedures on which to build a control framework
Resilience and looking to the longer-term
The pandemic exposed shortcomings in cybersecurity; companies should build cyber resilience, baking cybersecurity into their digital transformation agenda
- Create a cybersecurity culture
- Cybersecurity by design
- Future-proof and secure treasury infrastructure
|Looking back to move forward – support in a rapidly changing world|
Cybercriminals are relentlesswork with the right partners to mitigate risks
Do not forget people
Cybersecurity is not just about technology – invest in training your workforce
Be cyber aware
Embed cybersecurity awareness into treasury processes and the culture. Seek out best practice
2 Security at the Speed of 5G, AT&T Cybersecurity Insights Report, AT&T (2019)
Published: November 2020. For Professional Clients and Eligible counterparties only. Not for Retail customers. Issued by HSBC Bank plc, 8 Canada Square, London E14 5HQ. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Published: November 2020
For Professional clients and Eligible Counterparties only.
All information is subject to local regulations.
Issued by HSBC Bank plc.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Registered in England No 14259
Registered Office: 8 Canada Square London E14 5HQ United Kingdom
Member HSBC Group