Securing Your Treasury Against Fraud and Cyber Risks

Transcription

1 Securing Your Treasury Against Fraud and Cyber Risks May 1, 2016 Presented By Jeff Diorio Managing Director 2016 Treasury Strategies, Inc. All rights reserved. Agenda Overview The environment and impacts Understanding your exposure Real-Life Examples BEC AP (Presentment and Lock Box) Bangladesh Attack Recommendations Controls Action Plan Sample Project Q&A 2 1

2 The Environment Treasury Drivers Forecasting Cyber risk mitigation Real-time global visibility and risk exposure Treasury structure and operational changes Regulatory requirements Enhanced management tools Efficiency, controls and visibility Cash Forecasting Short-Term Investments Bank Management Risk Management Organization/Staffing Efficient Operations Technology Source: TSI State of the Treasury Profession Survey,

3 Headlines 5 How Prevalent is this Threat? Where are Treasuries vulnerable? Government officials and security experts have long warned of the possibility of cyber disruptions in the financial system and other essential services and utilities. Bangladesh Central Bank Found $100 Million Missing After a Weekend Break Wall Street Journal Xoom Corp. CFO resigns after fraudsters steal $30.8M in corporate cash ( the ) - San Francisco Business Times It s not a question of If you will be impacted. It s a question of how significant an impact it will be. 6 3

4 Payment Fraud Trend AFP 2016 Payment Fraud Survey 7 Size Doesn t Matter AFP 2016 Payment Fraud Survey 8 4

5 Types of Payment Fraud Check fraud Altered checks Forgeries Counterfeit checks Remotely-created checks Lockbox scam Etc. Electronic fraud (Unauthorized ACH/Wire) Corporate account takeover Check conversion counterfeits Social engineering Phishing/Spear Phishing Keystroke software Password engineering (birthdays, Fido1234) Etc. Credit Card & P-card 9 Wires Fraud Second to Checks 10 5

6 Business Compromise (BEC) FBI Internet Crime Complaint Center (IC3) 64% of participants in 2016 AFP survey exposed to BEC 11 Framing the Problem There are several risks and exposures: Internal threats Theft or malicious acts Human error External threats Social Engineering hacking your process (BEC and Presentment fraud examples) Technical (security exposures, remote control) Environmental Denial of service Act of God (Hurricane Sandy) 12 6

7 Real-Life Examples BEC Background A Corporate Treasury was targeted by cyber criminals as fraudsters attempted to deceive the organization into transferring $8M for a fraudulent acquisition. The fraud attempt was credible and sophisticated in its construction. appeared to be coming from CEO s account and was written in a style that effectively mimicked CEO. Fraudulent acquisition consistent with company s prior history of acquiring UK subsidiaries. targeted Assistant Treasurer on day that Treasurer was out of the office. The fraudulent payment may have been made if it were not for the payment protocols and controls that were in place to ensure all wires are legitimate and accurate. 14 7

8 BEC Payment Control Protocols Company has a system of payment protocols in place that protected the company from being a victim of fraud, including: 1. Segregation of duties 2. Workflow with physical and electronic forms 3. Payment authorization limits 4. TMS workstation / Banking system enforcing thresholds and workflow 5. Bank controls (positive pay, ACH debit block, etc.) 6. Employee education 7. Written policies that are widely communicated 8. Hiring employees with high integrity 9. Internal and external audits 10. Senior management understanding and active support 15 BEC Impact of Controls How did controls foil fraud attempt? 1. Segregation of duties: Assistant Treasurer would not have been able to input and release the wire on his own from the TMS workstation; would have required assistance from Cash Manager. 2. Physical form/payment authorization limits: Payments cannot be released without a physical signature from the requestor and an approver with sufficient authorization. 3. Threshholds in workstation/banking platform: Prevented the Assistant Treasurer from releasing a wire above a certain threshold; only IT department with approval from Treasurer can raise threshold. 4. Employee education: Members of the Treasury department had recently taken part in a fraud prevention seminar. 5. Written policies that are widely communicated: Assistant Treasurer was well aware that he was unable to process wire without proper support. 6. Hiring employees with high integrity was a deterrent. 16 8

9 AP: Invoice or Presentment Fraud Here is an example of both social engineering and technical fraud. Sometimes they are much more sophisticated Actual Vendor Actual person Proper PO number Actual Do I open the attachment? DANGER, DANGER, DANGER! Account manager for what firm? 17 AP: Vendor Payment Instructions Dear... We recently changed our lock box for invoices Can you please update your records and submit to - ABC Bank Account number xxxyyyzzz - Care of XYZ Company (account actually in name of XYZ Holdings Co vs XYZ Company Inc) If you have any questions please call our accounts receivable department at (000) Sincerely Your friendly fraud attempter Manager of Accounts Receivable A company you do business with 18 9

10 AP Control Protocols Invoice and vendor management controls: 1. Segregation of duties 2. Business Intelligence (include business users in approvals) 3. Payment authorization limits 4. Online AP vendor invoice systems (e.g. Concur, Ariba) 5. ERP as central controlled payment workflow, vendor payment details and initiation point 6. Bank controls (positive pay, ACH debit block, etc.) 7. Updated policies that are widely communicated 8. Fraud/Cyber SWAT team 9. Employee education and re-education 10. Senior management understanding and active support 19 Bangladesh Example Culprits were able to 1. Penetrate the bank payment systems (remote control or internal access) 2. Create MT103 payments 3. Erase their tracks Failures were on multiple levels SWIFT Alliance RMA Internal Bank Systems Alliance Integrator Alliance Access SWIFT Alliance Gateway SWIFT SWIFTNet Link Access Database If it can happen to a bank it can happen to you 20 10

11 Best Practice Recommendations Controls Pro-active PREVENTION via Processes and Systems Segregation of duties (dual or triple approval) Profiling of risky transactions (Foreign wires, new counterparty, large $) Centralized systems with workflow for payment request, approval and preparation Business intelligence review (not just treasury or AP) Deconstruct or un-automate payment processing (add control points) - Leverage bank portals and bank payment controls - Only use STP for known repetitive payments IT/Technical protections: - firewalls, virus scan, admin controls, intrusion detection/risk monitoring, isolated systems Education and escalation (no repercussions for raising alarm or following SOP) 22 11

12 Action Plan Analyze - Look at all of the components, procedures, partners and communication channels. Determine all places where your data originates, is transported, and stored. Evaluate both current level of security and existing exposures. Review your payment procedures and initiation controls. Involve partners that are both internal (AP, IT, Audit) and external (banks, SWIFT, vendor). Evaluate potential for loss of control and inability to execute. Develop an action plan. Formulate a response team. Review each potential type of breakdown. Enhance protection where possible. Create response plan for inevitable breach. Define acceptable and unacceptable risks. 23 Action Plan Understand liability and insurance. Who has liability in case of an event? Understand your vendors and banks liability coverage and your comfort. Use insurance riders and/or cyber insurance as an umbrella (could be multiple policies). Be sure monetary and securities are covered. Leverage experts. Bank and vendor recommendations Focused Treasury Risk Assessment (not general) as well as Corporate Payments and Cyber Risk Expert advice and best practices Outside perspective Regular tune-ups 24 12

13 Sample Cyber/Fraud Project Company SaaS Hosted TMS SWIFT Bureau Bank Review policies, procedures and controls of end-to-end process Technical review (can messages be read) Data at Rest must be encrypted. Data in Flight must be encrypted. Payment message verification (can messages be altered) Acknowledgement/confirmation validation Central frequent monitoring of data and workflows Digital signatures (e.g., Two Factor Authentication, SWIFT 3SKey), checksum and secondary validation to authenticate payment files Risky transactions re-presented by bank Action plan for breach or incident 25 Sample Cyber/Fraud Project Company SaaS Hosted TMS SWIFT Bureau Bank Analyze workflow procedures and security of all systems and locations where you receive or send data. Corporate Firewall BAM Forecast ERP TMS or Bank AP 26 13

14 Sample Cyber/Fraud Project Company SaaS Hosted TMS SWIFT Bureau Bank Who has access to data? What users have permission to initiate? What are the physical security controls? Are transmissions encrypted? Are communications unreadable and unalterable? Robustness of connectivity Authentication of messages and sender Process controls Development of alternate initiation plans Areas of vulnerability: Boxes are areas you, vendors or banks must be sure are secured. Arrows are communications channels to be protected. 27 Resources Treasury Strategies Your banks AFP Your vendors Other FBI Internet Crime Complaint Center IC3 ( Federal Reserve ( ) NCFTA ( FFEIC ( US Secret Service Cyber Intelligence Center 28 14

15 Thank you We have best practice guidelines and recommendations. me for more information. Jeff Diorio Managing Director 29 Treasury Strategies Corporate Practice Armed with decades of experience, proven approaches and unparalleled knowledge of treasury and risk management, we advise our clients on leading practices and technology solutions, providing guidance and actionable results across all areas of global treasury. We consult to both users and providers of treasury solutions, so our clients benefit from our 360 o view of the key dynamics, drivers and trends in the treasury market. Clients Corporations Public Sector Not-for-Profit Solutions Global Cash and Liquidity Management Cash Forecasting Financial Risk Management Treasury Organization Payments Strategy Leading Practices Review and Benchmarking RFP Support for Banking Services Technology Business Requirements and Gap Analysis Technology Optimization and Updates Technology Selection Technology Implementation and Connectivity Treasury Change Management and Resource Support 30 15

16 About Treasury Strategies, Inc. Who We Are Treasury Strategies, Inc. is the leading treasury consulting firm working with corporations and financial services providers. Our experience and thought leadership in treasury management, working capital management, liquidity and payments, combined with our comprehensive view of the market, rewards you with a unique perspective, unparalleled insights and actionable solutions. What We Do Corporations We help you maximize worldwide treasury performance and navigate regulatory and payment system changes through a focus on leading practices, technology, liquidity, risk and controls. Financial Services Our experience, analytic approach and benchmarks provide unique consulting solutions to help you strengthen and grow your business. Accreditations Connect with Us giesincconsulting 31 16