From reaction to action – responsiveness and resilience in a pandemic - Infographic (PDF, 542KB)

    Part 1 The short-term: dealing with heightened cyber risk

    As the global Covid-19 pandemic took hold, treasury teams implemented business continuity plans, secured liquidity, and in countries where lockdowns were imposed, set up new ways of working remotely for employees. This dramatic shift from working in an office to working from home affected thousands of organisations and millions of employees.

    Because of remote working, firms have had to find creative ways to collaborate and engage with team members, clients and third party suppliers, turning to digital ecosystems and messaging platforms. Digital technologies such as virtual private networks (VPNs), videoconferencing, voice over internet, cloud and work collaboration tools played an important role in enabling this shift. Additionally, organisations started exploring different ways of exchanging information by using APIs and third party software-as-a-service (SaaS) platforms that offer secure workspaces.

    At the same time, more firms embraced e-commerce, extending distribution channels and for some, enabling online transactions for the first time. Many organisations that had not previously used digital channels, rushed to implement these, adding more users and services, and moving away from the paper-based banking experience.

    Some organisations quickly pivoted to outsourcing critical treasury operations to banks, such as accounts payable, as a duty of care for its employees who were unable to physically make the payments themselves. This required rapidly setting up digital workflows with banking partners, as well as ways to maintain oversight and control of outsourced activity.

    The pandemic is a tipping point: organisations now realise that they can no longer delay their digital journey; treasury teams recognise the efficiencies that digitisation delivers and also are more conscious about cybersecurity. Risks are inherent in any activity and to mitigate them, firms should seek the right partners who can increase their understanding of cybersecurity and the precautions they must take.


    HSBC itself had, within ten days, strengthened the capacity of its virtual private network (VPN) in the UK to enable around 60,000 staff to work remotely.

    Immediate considerations for organisations wanting to build cybersecurity resilience are:

    Education:

    Before an organisation does anything, it must demystify cybersecurity, educating treasury teams about their roles and responsibilities. Cybersecurity is not an issue that should be left to the ‘professionals’

    88 per cent of attacks come into an organisation via internal staff, according to the UK Information Commissioner’s Office (ICO)

    Everyone within an organisation must be aware of the risks and what to look out for. Treasury teams should also talk to their banks about the cyberattacks they are seeing and what precautions can be taken to prevent similar attacks in their organisation.

    Giving staff a checklist of points to remember, which can be updated to reflect current threats, will supplement these education efforts. Such points could include:

    • A bank officer will never phone you and ask for your security credentials
    • If a supplier asks you to change their sort code and account number, do not do it on the basis of an email. Always phone your contact to check
    • Do not assume the person you are conversing with in an email or on the phone is the person you think it is. Always check
    • Never click on a hyperlink or attachment within an email.

    Culture and the human factor:

    Given that 88 per cent of cyberattacks are the result of human error, ensuring cybersecurity procedures are understood and regularly updated is imperative. While staff at some firms are returning to their offices, many other organisations will continue to operate on a remote basis for the foreseeable future.

    Cybercriminals are sophisticated – it is their role to fool people. While a treasury team may employ technology such as artificial intelligence to monitor activity and spot unusual transactions, if a member of the team believes they are creating a valid payment, the technology will not always help.


    In the UK, the Confirmation of Payee procedure has been introduced to strengthen authentication1. The procedure is designed to give greater assurance that payments are being made to the intended recipient by checking the beneficiary name and account number before payment is made.

    This step is not a ‘one shot’ solution; the cybersecurity culture of an organisation is something that must be reviewed and updated on a continuous basis as circumstances change.

    Part 2 Locking-in the lockdown lessons – measures for the medium term

    Once an organisation has laid the foundations of cybersecurity education and culture, it can look to implement more detailed steps to create contingency procedures in the event of a cyber attack.

    Step 1

    Conduct a cybersecurity and business process audit: Review and evaluate changes to policies, processes and tools made during the early days of the pandemic, when the primary focus was to enable the business to become operational quickly. Treasurers should review the actions taken at the start of the pandemic and identify any potential security weak spots that need to be addressed. Additionally, review service levels that were received from banks during the pandemic, to determine whether there were gaps or expectations that were not met satisfactorily.

    Work with your banks to identify how existing processes need to shift, and which areas of potential weakness were uncovered during the height of the pandemic. Where there is an opportunity to improve processes, ensure that these are regularly reviewed and updated to address the constantly changing risk environment.

    Step 2

    Enhance the BCP: Most BCPs would not have included provisions for widespread remote working and the heightened cybersecurity risk that accompanied it. Improving a BCP should focus on three elements:

    Secure home working Secure corporate infrastructure Secure treasury processes
    • Make sure all services that treasury teams use are available via more than one digital platform (e.g. browser and host-to-host)
    • Ensure staff are accessing the organisation only through approved laptops and networks
    • If staff use their own devices, ensure banking apps are protected against malware
    • Enhance protection and protocols, including providing authenticated, encrypted channels with partner banks to enable authorised signatories to submit digital instructions
    • Explore secure ways of collaborating and engaging with counterparties beyond standard email, for example, via secure messaging platforms, SaaS workspaces, APIs, etc.
    • Require VPN or equivalent access to systems
    • Never allow team members to access the digital treasury platform via their home internet system
    • Do not rely on one technology/ telecoms provider. Always have a network connectivity backup
    • Ensure team members know what to do in the case of an attack, including who to phone at the bank, how to chase money, how to blocktransactions and how to close systems.
    • Check entitlements and permissions of all users are set appropriately
    • Reduce dependence on paper and on the postal service
    • Ensure team members have backup in case of absence or remote access issues. Check that backup staff do not use the same broadband provider
    • For processes that have been outsourced, ensure sufficient oversight and control over outsourced workflows.

    Step 3

    Conduct counterparty risk assessment: As cyberattacks increased during the pandemic, it is more likely that the infrastructure of counterparties may have been compromised. In an ever-more interconnected world, firms should consider conducting a full counterparty cybersecurity risk assessment. Elements to consider include:

    • Embed third-party risk management into onboarding and ongoing management processes
    • Ensure open communication with third parties whose systems are embedded in treasury systems so treasury teams can be quickly informed of any attack and take appropriate action to protect their own systems from contamination
    • Contracts with third parties should include an obligation to notify the treasury team in the event of a cyberattack
    • Implement a ‘kill switch’ in the treasury system for third-party applications that will enable treasury teams to disable a compromised connection
    • Implement regular penetration testing conducted by independent third parties
    • Talk to banking partners and FinTechs about the frameworks that are applied to cybersecurity. As regulated entities, banks should have a multi-layered security architecture
    • For financial institutions, evaluate a correspondent bank’s cybersecurity investment, risk appetite and staff and customer policies in force, to guage the level of preparedness for attacks. Consider approaching counterparty cybersecurity risk assessment with the same level of rigour applied to counterparty credit risk assessment.

    Step 4

    Establish cybersecurity governance: Cybersecurity governance begins with a specialist person or team who should develop a set of policies and procedures for the organisation. Once those have been established, a control framework that sets standards for the organisation can be built. This might include a provision that the organisation always uses end-to-end encryption, for example. A long list of policies and procedures needs to be in place both at the technology level and also within the treasury team itself. These will set controls, over which there should be independent oversight. Such oversight should include regular spot checks.

    Part 3 Resilience and looking to the longer-term

    The pandemic exposed shortcomings in cybersecurity for many organisations. Looking to the long-term, companies should focus on building cyber-resilience, baking cybersecurity into their digital transformation agenda.

    Create a cybersecurity culture Cybersecurity by design Future-proofing and securing treasury infrastructure
    • A cybersecurity culture must be built into treasury processes rather than bolted on and should permeate the treasury infrastructure
    • Ensure staff are educated and informed via mandatory training, from the very highest levels down
    • Create a cybersecurity domain within the company’s intranet on which articles can be published and relevant information disseminated. (HSBCnet includes a cybersecurity centre that contains use cases, information and advice for clients)
    • Encourage staff to raise issues and concerns. Do not create a ‘blame culture’
    • Reinforce internal cybersecurity messages. Ensure constant and ongoing team discourse on cybersecurity, reinforcing the need for constant vigilance regardless of working environment
    • Communicate the need for each team member’s responsibility and accountability by empowering staff to feel a sense of ownership of the business – thereby encouraging a need for them to protect it.
    • Design treasury processes with cybersecurity in mind
    • Work with a partner bank that adopts a security-by-design approach in product and service innovation
    • As new applications are built, ensure IT security staff review and assess the application before it goes live to ensure any security issues have been dealt with
    • Implement third-party penetration testing (ethical hacking)
    • Ensure entitlements and controls within a digital platform are well understood.
    • Optimise the use of available technology such as ERP and treasury management systems to ensure process consistency, minimising risks of traditional data inputting methods such as Excel
    • Apply a security standard such as NIST to infrastructure, frameworks and controls
    • Include cybersecurity considerations in long-term planning for the treasury
    • Include cybersecurity insurance
    • Utilise technology such as AI and big data analysis to flag suspicious account/user behaviour, and similar threats and potential attacks
    • Explore the use of blockchain to eventually make machine-tomachine payments, reducing multiple human touchpoints, limiting opportunities fraud.

    Part 4 Looking back to move forward – support in a rapidly changing world

    The network of the future, where remote connections are the norm, has arrived faster than anyone expected due to Covid-19. The financial services sector has responded with speed and resilience, making use of telecommunications infrastructure and tools to empower remote workers, launch digital services and scale contact centre capabilities to stay connected with their customers—all on a foundation of highly secure remote access. Going forward, we urge financial sector organisations of all sizes to consolidate these gains and enable future business growth by taking a holistic approach to security that spans people, process and technology.

    – Bernard Yee, Region President, Asia Pacific & Canada, AT&T

     

    The Covid-19 pandemic has highlighted the never-ending threat of cyberattack. The rise in attacks during the pandemic demonstrated that cybercriminals are relentless in their attempts to exploit weaknesses in organisations’ security.

    HSBC recognises that cybersecurity is not solely a technology issue – it also involves people. By embedding cybersecurity controls end-to-end into our applications we can move quickly in delivering secure services to our clients, while also protecting the bank itself. As a regulated entity, we have also committed to regulators to constantly educate our clients on cybersecurity and how they can protect their organisations.

    HSBC takes cybersecurity seriously, recognising our responsibilities to continually invest in cybsecurity technologies and processes to build a cybersecurity-aware culture, embedded in its processes. Additionally, HSBC works closely with clients, highlighting the risks to consider and the best practice to mitigate such risks.

    HSBC’s global expertise allows it to harness cybersecurity best practices from offices around the world. This is enabling the bank to continually create the best environment possible for the bank and its clients to guard against cyber threats and attacks.

    The pandemic has pushed remote connectivity up the agenda for corporations at a time when the advent of 5G technologies promises to deliver greater capabilities. US telecommunications giant AT&T, which formed a Cybersecurity business unit, says corporations can take a “proactive” stance by anticipating the security requirements that come with 5G2.

    Many of the likely cyber attacks on 5G networks will be the same as those encountered today, relying on familiar vulnerabilities and known attack methods. By strengthening existing defences and continually updating processes and cyber defence education, corporations can help mitigate the risks associated with the new technology.

    Creating a 5G security posture means understanding the potential for new threats and putting up the right tools for asolid defence, says AT&T.

    From reaction to action – responsiveness and resilience in a pandemic

    Building cyber resilience

    The short-term reaction – building cyber resilience


    A shift to digital channels
    Remote working and rise in e-commerce highlighted importance of digital transformation

    Increased awareness of cybersecurity
    Treasury teams more conscious of cyber risks

    Education and the human factor
    Ensuring staff know their roles, responsibilities and procedures

    Locking-in the lockdown lessons – measures for the medium term

    Building on the foundations of cybersecurity education and culture, treasury teams should put in place contingency procedures to mitigate the risks arising from a cyberattack


    Cybersecurity and business process audit
    Review and evaluate changes to policies, processes and tools, identify potential security weaknesses. Review bank service levels to address constantly changing risk environment

    Enhance the BCP
    Include provisions for remote working and heightened cybersecurity risk. Focus on securing 3 elements – home working, corporate infrastructure and treasury processes

    Counterparty risk assessment
    In an ever-more interconnected world, firms should consider conducting a full counterparty cybersecurity risk assessment

    Cybersecurity governance
    Deploy specialists to develop policies and procedures on which to build a control framework

    Resilience and looking to the longer-term

    The pandemic exposed shortcomings in cybersecurity; companies should build cyber resilience, baking cybersecurity into their digital transformation agenda

    • Create a cybersecurity culture
    • Cybersecurity by design
    • Future-proof and secure treasury infrastructure
    Looking back to move forward – support in a rapidly changing world

    Stay alert
    Cybercriminals are relentlesswork with the right partners to mitigate risks

    Do not forget people
    Cybersecurity is not just about technology – invest in training your workforce

    Be cyber aware
    Embed cybersecurity awareness into treasury processes and the culture. Seek out best practice

     

    1 www.ukfinance.org.uk/confirmation-of-payee

    2 Security at the Speed of 5G, AT&T Cybersecurity Insights Report, AT&T (2019)

    Published: November 2020. For Professional Clients and Eligible counterparties only. Not for Retail customers. Issued by HSBC Bank plc, 8 Canada Square, London E14 5HQ. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.

    Disclaimer

    More, collapsed
    Is ECB Green QE coming soon?
    Problems in including green bonds in asset-purchase programmes can be overcome
    Join the conversation?

    Join our Linkedin group to get an unparalleled view of macro and microeconomic events and trends from a bank that is a leader in both developed and emerging markets.