Corporate treasurers have an important and unique leadership role to play in building cyber resilience as the centre of expertise for risk management and balance sheet strength, as well as being the custodian of sensitive data related to payments.
Looking at the preparation and incident response trends of recent years, what can the treasurer do differently?
Managing up
The first thing that a treasurer can do is lobby to ensure that cyber security is part of the Audit and Risk Committee’s agenda as much as liquidity, credit or market risk. As it is impossible to totally prevent a security incident, cyber security cannot be a “one and done” and is instead better maintained as a standing item.
Embedding such ongoing strategic governance will not just set the tone that cyber resilience matters but also ensures a common understanding of what this refers to: cyber security is the way in which we reduce the risk of a cyber-attack and ensure that our organisation is protected.
Secondly, one must understand where and how cyber risk has been managed to date. A word of warning, this could well uncover a patchwork. For example, there could be mixtures of individual business units managing this for each of their operations, the General Counsel’s office as part of the adoption of GDPR, and the organisation’s Chief Information Security Officer (CISO) from a systems lens.
Only by understanding this landscape of responsibility and accountability can the treasurer embed resilience.
Managing from within
The treasury and wider finance division need to have sufficient understanding to constructively engage on cyber resilience and response.
This can be achieved through a team whiteboarding session. Opening the floor to facilitate a self-assessment of processes owned by, as well as those adjacent to, the treasury team will quickly, easily and cheaply uncover the current state of understanding and preparedness.
The cyber security pillars of Defend, Anticipate and Engage can be applied as a framework to facilitate this:
Defend
It is important to proactively manage the treasury technology stack in addition to the processes in place from IT and the CISO’s office, such as email filtering. For example, are all systems or platforms owned by treasury patched, up to date and coming with a systematic approach to on/offboarding employees? If so, when did we last test this, or verify that principle of least privilege is in place?
Anticipate
The key to being prepared for a cyber incident is mastering the basics and aligning with existing treasury operational risk processes. Steps such as ensuring that your response plan is backed up in a logically or geographically separate way (a backup in the same location will almost certainly be targeted in an attack) - including the specific requirements of treasury is the best way to enhance resilience.
At a minimum, this should include internal (e.g. CISO and shared services partners) and external (cash management banks and lenders) contact details, as well as the criteria for triaging payments and reconciliation of the most important transactions in a contingency scenario.
Engage
People are and always will be the best form of cyber defence. While there are likely to be organisation-wide training programmes on identifying suspected phishing emails, for example, these will not reflect the nuance that each team culture will differ.
It is important to test if the treasury department has an environment which allocates blame or extracts learning. For example, if someone uncovered a way to circumvent a maker/checker functionality, would they feel comfortable to flag this to their manager?
Managing across
To adequately defend, anticipate and engage on an enterprise-wide basis, all parts of the organisation must act in unison. The steps above will help treasurers understand where the key partnerships will be.
This may see discussions with procurement if contracts do not include supplier resilience vetting, historic HR practices concerning revised payroll processes or cross-functional learning dialogue following a near-miss.
This leadership is a critical tool in demonstrating corporate treasury’s continued strategic value to the organisation, and central role to enterprise risk management.
Santander Corporate & Investment Banking enhances the security of both our clients and society in the online world. As a financial institution, we are actively working on adopting the Digital Operational Resilience Act (DORA) and the revised Network and Information Systems Directive (NIS2) to build on our existing layers of security:
- Protect: This includes tools with the primary function of preventing cyber-attacks (firewalls, antivirus, email filters, physical, hardware and software access control);
- Detect: 24/7/365 monitoring to identify anomalous or malicious activity, including machine learning;
- Respond: The investigation stage which could include deactivating systems or forensic investigation to prevent further infection, risk or recurrence.
In terms of enhancing resilience for our clients, as a pan-European and American leader in Cash Management, a vital component is providing a single access point for transaction processing via Santander Cash Nexus. This is an important source of operational risk reduction, by reducing the number of potential points of weakness.
We also challenge ourselves to find new ways to drive connectivity with our clients’ technology.