Shoring up Treasury’s Cyber Defences: 9 Smart Steps
By Eleanor Hill, Editor
Did you know that paying a ransom to a cybercriminal, even if you do so in Bitcoin, could lead to a sanctions’ violation? That’s right, treasurers now have even more to think about – and get involved in – when it comes to cybercrime. Here, we examine the latest threats treasurers need to keep abreast of and ask industry experts what treasurers can do to ensure their systems and data remain protected.
Picture the scene: your CFO is on her way from the head office in London to an important meeting in New York. Everyone in the treasury team knows she’s travelling today. She’s just about to board her flight when treasury receives an email from her saying that an urgent payment needs to be processed before she leaves the country. She phones one of the treasury team too – just after the email has hit their inbox, but the line is bad, and she needs to switch off her phone before take-off, so she doesn’t have much time to explain. Nevertheless, the message is clear: the payment needs to be made now.
Of course, you guessed it, in actual fact, the email wasn’t coming from the CFO. It was a cybercriminal sending an email from her address – having compromised the company’s systems several months previously. With access to all of the CFO’s emails and her calendar, the fraudster had learnt how to communicate just like her and knew precisely when she was going to be getting on a plane to New York (the only true part of this whole scenario). No, the phone call wasn’t from her either; it was the fraudster spoofing her number, calling with a supposedly poor connection to help disguise their voice.
This is an increasingly common type of attack, known as CFO fraud, and one that is often successful. Many treasury departments have actioned payments in similar scenarios. In fact, statistics suggest that up to 90% of CFO fraud attacks are successful, due to their being so niche and so well researched. CFO fraud also often involves multiple types of cyber-attack – starting with a spear phishing email that embeds malware onto a device (like the CFO’s computer), then business email compromise and social engineering techniques, ultimately ending up in a payment fraud.
Yes, some treasuries have spotted the ruse – and either caught the CFO fraudster out at the start, or questioned the payment before it was sent out, stopping the attack part way down the line. But the fraudsters are becoming more and more sophisticated, and playing a very long game – waiting patiently for months to find the right moment to strike. The longer they wait, the more information they gather that helps them to launch an extremely convincing attack.
As Raj Shenoy, Global Head, Digital Security, Treasury and Trade Solutions, Citi, explains: “Targeted and well-researched victims are part of the modus operandi, where bad actors are looking for large returns and are willing to be persistent with a long-term outlook to exploit targets in positions of authority.” The CFO and treasurer both fall under this umbrella – and cybercriminals are becoming increasingly aware of the lucrative potential of treasury as a target. Not only do treasurers have the ability to move large amounts of cash very quickly, they are also sitting on a goldmine of data. What’s more, as treasury has grown in strategic importance, cybercriminals are finding it easier to research treasury targets. (But don’t worry, we will explore tactics for staying cyber secure later in this article).
Treasury trends impacting cybersecurity
Sebastian Kästner, Group Treasurer, iSi Group, Austria, and a board member of the Austrian Corporate Treasury Association, highlights two developments in treasury that must be taken into account when reviewing cybersecurity:
A current major concern for many treasurers is the increasing adoption of instant payments. The risk is heightened in the sense that it will become almost impossible to stop an ongoing payment, as the payment service provider has less than ten seconds to stop it. As a result, corporates will have to improve their checks before a payment is transferred.
With faster payments and the increased amount of data and connected devices, payment service providers will have to improve their fraud and money-laundering recognition as well as sanctions list searches using automated advanced detection filters, such as artificial intelligence methods. However, the responses from the corporates advising these payments are still slow. Thus, faster reaction times will also be key in these areas.
There is definitely a trend to move data and processes to mobile devices and the cloud. This does, and will, affect the treasury landscape and thus presents new cyber risks. Data encryption and the careful and restricted use of activated wireless connection technologies are key to ensuring protection.
A hostage situation
Jan Dirk van Beusekom
Although CFO fraud is one of the more common cyber threats faced by treasurers, according to Jan Dirk van Beusekom, Head of Strategic Engagement, BNP Paribas Cash Management & Trade Solutions, other types of attack frequently faced by treasury teams include “ransomware installed via phishing, and payment fraud via a ‘false’ IBAN”.
Ransomware does indeed appear to be a growing concern in the corporate space. “We have seen a spike in ransomware across geographies and industries,” confirms Shenoy. Ransomware is essentially malware that encrypts data, holding it ransom, so that users cannot access it. Whole systems can be held hostage too, including the ERP.
Systems that control industrial machinery can also be held hostage, as we have seen with the emergence of the LockerGoga ransomware – which has caused at least USD$40m damage (in revenue and recovery costs) at Norsk Hydro so far this year, with the attack shutting down most of the company’s production for a week. In a nutshell, LockerGoga works by changing user passwords and logging out network connections before encrypting all of the files on the target system. Payment in Bitcoin is then demanded by the cybercriminals.
It’s well known that more and more organisations are discreetly paying ransoms in order to get access to their data and systems back. And it’s understandable why – statistics from cybersecurity company Coveware illustrate that in Q1 2019, the average ransom organisations paid per incident was just USD$12,762. For most corporations, this is a drop in the ocean, and may seem like a price worth paying.
On the flip side, there is no guarantee that the attackers will decrypt your files, or that they will do it in a timely fashion. Paying a ransom may also make your organisation more likely to be subject to ransomware attacks in the future, as the company’s name is added to the Dark Net as a potential soft target. Furthermore, treasurers should be aware that paying a ransom could actually result in sanctions violations – and fines that far exceed the monetary value of the ransom.
In November 2018, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) publicly attributed cryptocurrency addresses to individuals who were involved in converting ransomware cryptocurrency payments to fiat currency. These known individuals are now being added to sanctions lists, and any company found to have paid a ransom to them could be subject to secondary sanctions. According to an official announcement from OFAC, “Regardless of whether a transaction is denominated in a digital currency or traditional fiat currency, OFAC compliance obligations are the same.”
It comes as little surprise, then, that companies are focusing on having good cyber defences in place, and proper back-ups, as a means to overcome ransomware without giving in to the criminals. Training (more on this later) plays a key role in the defence against ransomware, since, as van Beusekom noted, the majority of such attacks result from a phishing campaign – whereby a user clicks on a link or downloads an attachment that then installs the malware.