CTC Guide

Cybersecurity:
Setting a Cyberrisk Management Strategy

Supported by
WHAT’S THE RIGHT WAY TO MANAGE RISK?
THE SMARTEST PATH TO GROWTH?
THE BEST WAY TO ENGAGE YOUR PEOPLE?
When it comes to risk, strategy, and human capital, clients in more than
130 countries depend on us to help them answer the hard questions.
Together, we work to solve complex problems, seize opportunities,
and drive growth.

We are Marsh & McLennan Companies, a global professional services firm

whose deep expertise and commitment to lasting partnerships protect and
advance our clients’ vital assets: their people, their capital, their strategy.

To learn more about us and our market-leading brands, visit MMC.com.

CTC Guide
Cybersecurity:
Setting a Cyberrisk Management Strategy

Contents
Executive Summary Page 1
What is the Cyberthreat? Page 2
How can treasurers help to manage cyberrisk? Page 2
Setting a cyberrisk management strategy Page 2
Sources of Cyberrisk Page 4
Who poses the threat? Page 4
What is at risk? Page 5
Having a clear understanding of data Page 8
Evaluating Cyberrisk Page 9
Value assets and potential liabilities Page 9
Managing Cyberrisk Page 11
The art of the possible Page 11
Protect the most valuable assets Page 11
Using mobile technology to manage treasury activities Page 14
Manage the remainder Page 15
Policy in the event of breach Page 16
Conclusion Page 18
Checklist for Identifying Assets Page 19
Internal assets Page 19
Treasury-specific assets Page 20
External Page 20
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Cybersecurity: Setting a Cyberrisk

Management Strategy

Executive Summary
The Washington D.C.-based Center for Strategic and International Studies has estimated that
cybercrime costs the global economy USD 445 billion a year. The 2015 AFP Risk Survey found
that 34% of companies had been subjected to a cyberattack in the last 18 months. For most
corporate leaders, the well-publicized cybersecurity breach at Sony that took place in late 2014
was simply the latest instance of a type of crime that has risen to the top of their agendas.
This guide is designed to help organizations establish a cybersecurity management strategy
and policy, both at corporate level and within the treasury department. The guide suggests
and explains a three-part approach to establishing and implementing a cyberrisk management
strategy: identify data at risk, value this data, and manage the risk appropriately.
When managing cybersecurity, companies should prioritize the use of resources to protect
the most valuable and business-critical data. The guide explains when and how to use cyberrisk
insurance. Finally, underpinning the guide is an assumption that it is impossible to eliminate all
risk of a cyberbreach. With this in mind, the guide concludes with suggestions on how to plan a
response to the likely data breach.

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 1
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

What is the Cyberthreat?

Seemingly every day there is a new report of a In particular, treasurers have well-developed risk
high-profile security breach at a major national or management skills. They will be able to apply their
multinational corporation. The sources vary from asset valuation skills to identify the assets within the
alleged state-sponsored hacking through to breaches organization which require protection. Treasurers also
caused by employee error. These reported cases are the have project management skills and an understanding
tip of the iceberg: for all the cases that are made public, of the structure of their organizations: both are needed
there are many others which remain below the radar. to coordinate a group-wide approach to cyberrisk
Whatever the reason, each affected corporation faces management.
a hit to its reputation and a degree of additional cost. The second part of the treasurer’s role is to manage
At a minimum, companies have to finance an internal the cyberrisks that are directly relevant to the treasury
inquiry to establish how a breach took place and then department’s day-to-day activities. Treasury departments
pay for any recommended measures, such as investing have been investing in technology to be able to automate
in more training for employees. At the other extreme, processes and achieve efficiencies. Yet these efficiencies
regulators may require companies affected by a breach require organizations to be more connected to third
to pay significant sums in compensation. The highly parties, via the internet and other connections, resulting
publicized security breach at Sony highlights just how in a much greater exposure to cyberrisk. Treasurers need
far the implications can extend. Given the size of the to manage cyberrisks associated with most of their core
events and the potential impact on corporations of all activities: payment processing, liquidity management
sizes, managing cybersecurity has risen to the top of most (including the operation of in-house banks), supply
corporate agendas. chain management and the use of any outsourced
Just as importantly, corporate strategists have realized services, including treasury management systems and
that cyber protection is not as simple as putting in place other solutions offered as a Software as a Service (SaaS).
a strong firewall. Put simply, firewalls have never been
Setting a cyberrisk management strategy
(and can never be) completely secure. Moreover, tight
firewalls are counterproductive. In today’s interconnected This guide examines both elements of a treasurer’s role
world, corporations need to be able to communicate in managing cyberrisk. The underlying principles are the
openly with third parties: companies make supplier same, whether the risk is being managed at the corporate
payments electronically, for example, and customers, or department level. In both cases, it is appropriate to
both B2B and B2C, increasingly expect to be able to take a three-step approach to developing a cyberrisk
purchase goods online. management strategy:
This means companies are faced with the challenge 1. Understand the nature of data which is at risk
of managing cyberrisk in an ever more complex Before setting any strategy, the treasurer (together
environment, while retaining the ability to communicate with other appropriate colleagues) has to have a clear
effectively with customers, suppliers and other trusted knowledge and understanding of the scope of data,
third parties. information and activities which is potentially at risk.
2. Value the data at risk
How can treasurers help to manage cyberrisk? Once the scope is understood, the treasurer will help
Within this context, there are two roles for a corporate to place a value on all data. Both assets at risk (such
treasurer to play when seeking to manage cyberrisk. as the long-term value of intellectual property) and
First, the treasurer is well placed to help the company potential liabilities (for example, likely compensation
develop a group-wide strategy for managing cyberrisk. payments) will need to be quantified. Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 2
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

3. Take action to manage the data at risk

With a clear value of the data, the treasurer can then How to coordinate the development of a
help the group to prioritize the use of resources to cybersecurity strategy
manage cyberrisk effectively. Within this process, there Aim for a collaborative process
are essentially three tasks: To achieve the full picture of the value of group assets,
■■ Protect the most valuable data a collaborative process must be established. There must
Companies should dedicate their scarce resources to be a group-wide committee or other structure tasked
protecting the most valuable data. This is likely to with setting and implementing the cyberrisk security
include data which is central to the financial viability strategy. This committee must take an enterprise-wide
of the organization, and will include core intellectual approach, and it may be appropriate to incorporate the
property. Protection is likely to be achieved via a cyberrisk security strategy into the wider enterprise-
series of measures and controls. wide risk management policy. The key is for the
committee to be inclusive from the earliest point, so
■■ Manage the remaining risk through insurance
that individuals within the company are able to share
and self-insurance
their particular concerns. The committee must also be
Irrespective of how much is spent protecting the
able to coordinate input from all the relevant divisions
most valuable data, there is still a chance that
and entities. Although this will be a significant
security will be breached. It may be possible to use
challenge in multinational corporations operating in
insurance to cover this remaining risk. For example,
many jurisdictions around the world, it will still be a
insurance is often appropriate as a protection against
challenge in a company with activities primarily in the
any requirement to pay financial compensation as
home market. Unlike many other group activities, it is
a result of a data breach. However, it may not be
not appropriate for a cyberrisk strategy to be conceived
possible, or financially appropriate, to insure against
in terms of silos of internal activity.
every potential loss.
Board-level support is required
■■ Adopt a plan should a data breach occur
Finally, all organizations should expect a data breach This committee must have board-level approval and
to occur at some point. The challenge then becomes authorization to require all group divisions and entities
how best to respond to ensure any risk to reputation to cooperate.
and any financial losses are minimized. Ensure appropriate team membership
Ultimately, a corporation needs to be able to determine The committee’s membership may vary over time once
who should have access to each piece of its data, and the initial strategy has been set and there is a movement
have in place a process to protect it or a solution to be towards implementation and ongoing review.
able to recover in the event of loss.
Aim for accountability
The committee must be under the named direction
of one individual responsible to the board for the
performance of this committee. That individual is
unlikely to be anyone directly involved in IT, although
it could be the director responsible for, among other
things, IT.

In the following sections, we examine each step in the

process of establishing a cyberrisk management strategy
in detail. Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 3
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Sources of Cyberrisk
Understanding the nature of cyberrisk involves two form of cyberattack. Security breaches can be deliberate:
elements. First, companies need to understand the types a disgruntled or blackmailed employee may decide to
of individual and group which pose both specific and reveal or sell information to third parties. The chances
general threats to their cybersecurity. Second, companies of a breach can be reduced via improved training:
need to understand the full range of information at the introduction of a USB pen drive or the failure to
risk within their organizations. These factors need to follow established procedures can allow malware into
be evaluated on a group-wide basis and at the treasury a company’s systems. But, however comprehensive a
department level too. company’s training program is, some internal breaches
are still likely to occur. For example, the volume of
Who poses the threat? phishing emails means that some will inevitably be
The first stage of the strategy should be to try to opened, and it remains very easy to copy third parties
understand the individuals and organizations that into internal emails accidentally, especially when using
represent the greatest threat to cybersecurity. Companies unfamiliar devices to communicate.
will be affected differently, according to the nature of Specific attacks and general threats
their business, their customers and suppliers, and the
External attacks from third parties are initiated on
locations of their activities. Verizon’s 2014 Data Breach
organizations for a variety of reasons, with certain
Investigations Report analyzed security incidents over a
types of attack more likely in some industries than
ten-year period. It found that, for example, companies
others. For example, organizations may face specific
in the travel and hospitality sector were most likely to be
attacks because of the type of business they do
affected by attacks on point-of-sale technologies, whereas
(pharmaceutical companies may be more susceptible
retail companies were most likely to be affected by denial
to industrial espionage attacks, oil companies may
of service attacks.
attract environmental activists and retail companies
Being aware of the most likely sources of cyberrisk will
may face threats at the point of sale). The nature of an
help to determine the most appropriate approaches to
organization’s business partners may also result in certain
protecting the most valuable data. Because the nature and
specific threats: companies operating in the defense
objectives of the individuals and groups launching attacks
industry or with links to government may face threats
vary, the responses by organizations may need to vary too.
from other governments.
Internal threat As an indication, external threats arise from four main
The primary threat comes from internal sources: current types of opponent:
and former employees of corporations, including Hackers
disgruntled former employees whose credentials have not
The first category of external attackers is IT-focused
been canceled.
hackers. They are primarily motivated by the challenge of
The internal threat to cybersecurity should not be
attacking corporate cyber defenses. If they are successful,
underestimated, for two reasons. First, because internal
they may highlight this by disrupting processes or
employees potentially have access to the full range of
otherwise publicizing the breach. There are also ethical
corporate information, there is a risk of significant
hackers who work with organizations to improve their
loss if appropriate controls are not in place to manage
cybersecurity by trying to breach existing arrangements.
individuals’ access to data.
Second, evidence from law enforcement agencies Activists
suggests that, while cyber losses caused in this manner Rather than viewing the target as a challenge in itself,
are not often publicized, they represent the most likely activists are motivated by causing disruption and/or Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 4
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

embarrassment to a specific target (or target group). tender documents when bidding for contracts.
Activists often have environmental or other political It is also possible for industrial espionage to
reasons for targeting a particular company or category be conducted by employees, either as a result of
of companies. Their attacks are typically intended to disgruntlement, as part of a transfer of employment (the
make a campaigning point and may be directed at taking employee brings confidential information with them),
over websites or performing a denial of service attack so or as a result of some financial inducement (possibly
that the company cannot continue to operate normally. including blackmail).
Energy companies, financial institutions, companies Understanding where threats may come from will
with links to particular political regimes and those in help companies to manage the risk. That said, Verizon’s
the defense/military industries are more likely to be analysis found that 75% of successful data breaches
susceptible to these types of attack. were not targeted at a specific individual or company,
and that 78% of data breaches did not require any
Financial criminals (internal and external)
significant resources by the perpetrator. In other words,
Financial criminals look to obtain protected data, often in
ensuring there is a good core set of security processes
the form of personal information such as customers’ credit
and procedures may significantly reduce the chance
card details, then to sell that data into the black market.
of a successful data breach. For example, setting clear
Phishing is an increasingly common way of seeking this
protocols on the cancelation of credentials when someone
data, although attacks may also be targeted at particular
leaves the company will help to reduce the threat posed
processes or systems. They can also be initiated internally
by disgruntled employees. Improved training and clearer
by a dishonest employee providing access to systems or
technology-use policies will help to reduce the likelihood
particular data sets to criminals for onward gain.
of human error. Understanding the value of different data
General attacks rely on weaknesses in internal systems
to third parties will also help to prioritize protection.
or procedures to gain entry to the company systems.
For example, phishing is successful when an employee
What is at risk?
inadvertently opens a corrupted email or other corrupt
Understanding the objectives of individuals and
file. Employees can weaken security via the introduction
organizations posing a threat is only part of the equation.
of USB pen drives into the company network or by the
Companies also need to understand the full range of data
use of personal computers when working remotely or
and information which they hold and use, and to assess
from home. Companies should be wary of the use of cell
how and when the data is vulnerable. Companies need to
phones and tablets to communicate with their systems.
protect physical and electronic data in two forms: when it
These can expose the company to a greater degree of
is static (or at rest) on their systems, and when it is being
cyberrisk simply because of the different levels of security
communicated (or in flight), both internally and with
in mobile protocols.
third parties.
Intellectual property thieves Data can be affected in three different ways:
Finally, and most seriously, some individuals or 1. Data can be stolen and sold to third parties
organizations, including governments, launch attacks or otherwise published. The impact will vary
to try to obtain access to the target’s intellectual according to the nature of the data. The loss of
property (IP). Such data may include core production customer information, such as credit card details, will
information, such as formulae and production methods: result in a reputational loss and a consequent loss of
the loss of control of this data may allow another sales, as well as possible regulatory fines and damages.
company to produce the same items more cheaply, The loss of core intellectual property may result in a
threatening the long-term future of the target. Third third party being able to produce goods of the same
parties may also want access to negotiating positions and quality for a lower cost. Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 5
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

2. Data can be corrupted. Depending on circumstance, risk of system corruption. For example, forecasting
this could result in companies making decisions on and positioning systems can foster errors, especially
the basis of incorrect data, or a manufacturing process when estimates and actual data are confused. As more
producing sub-standard goods, exposing the company people gain access to treasury management platforms
to longer-term financial loss. (often indirectly, when entering data into a forecasting
3. Data communication can be halted or prevented. module), there is more chance of both data corruption
For example, company websites can be subjected and malware being imported into the system.
to denial of service attacks, meaning customers As well as supporting the group to assess the data
cannot purchase goods online. Internal and external it holds, treasurers also need to understand the data
communications may also prevent data, which is they are responsible for within their own departments.
essential to the normal running of the business, being Fundamentally, data falls into three categories: financial
sent and received from some or all parties, such as information held within the department, information
group entities, suppliers or banks. collated from sources not directly under treasury control
When developing a company-wide cybersecurity policy, or from sources outside treasury responsibility, and
the team responsible needs to understand the complete communications with third parties, including banks,
range of data the company holds. Similarly the team suppliers and customers.
needs to understand the scope of data held outside the Just as the group cybersecurity management team
organization (for example, with third parties including should identify all the data the company holds, so
software partners and in the Cloud), and also when the treasurer should also perform a similar exercise at
and how data is communicated externally. If this data department level. The first step should be to understand
is compromised in one way or another, there is the both the type of data held and used and the systems
potential for a range of consequences. through which that data passes.
To do this, the team needs to collate information ■■ Internal systems
from across the group. A checklist to help this process is There are a number of areas where internal systems
provided at the end of this guide. represent a cybersecurity risk. In most cases, these are
What are the key issues for treasurers to internal systems which are used to inform decisions,
manage in the treasury department? manage positions and reconcile transactions, and
The challenge for treasurers over recent years has been to include treasury management systems, electronic
use the development of technology to automate processes banking systems, ERP systems and spreadsheets.
and reduce operating costs (including headcount). Such systems vary significantly regarding their
However, this increased reliance on automation and functionality, with some able to initiate and
straight-through processing also exposes the organization authorize a range of activities, include payments
to a greater degree of cyberrisk. Cyberrisk is not simply and investments, whereas others are primarily data
the risk of systems being breached from outside the repositories used to record activity.
organization. There is also the risk of an internal breach Data can be stored within some or all of these
where controls and limits are known, and can therefore systems and might include information such as
be abused, and be difficult for audit to pick up. bank account balances, payment information, ledger
As with the more general issues, fraud and human entries and standard settlement instructions. There are
error remain the biggest risks within treasury two risks: first, that this data can become corrupted
departments. Human error when dealing can result in either as a result of deliberate action or because of a
significant loss, especially if the approval processes are failure in the underlying software or user error. The
unclear or are not followed. With data flowing into and challenge will then be to restore data, which will take
out of the treasury department, there is an ever-present at least some time and resource, depending on the Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 6
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

nature of the breach, how long it has been between banks are already subject to high-level controls, with
the breach and its discovery, and the type of backup SWIFT messages, for example, encrypted in flight.
services available from which to perform a restoration. Most companies put in place good protections so
The second risk is that the company may have been that different individuals are responsible for initiating
operating with misleading data. In a worst-case and then authorizing payments, for example. Access to
scenario this might result in the company being unable systems is controlled via a range of different protocols,
to meet its obligations, entering into unhelpful hedging including the use of personal identifiers and activity
transactions, or simply having cash in the wrong place. limits embedded in the system.
Where data is collated from outside the treasury However, because of the level of protection offered
department, perhaps for cash positioning purposes, in this environment, there is a risk of complacency.
this may require individuals within the operating All protections can be breached, and treasurers will
companies to have access to the treasury management want to work to ensure that their internal protocols
platform. Controls should be in place in two key areas: (such as their password policy and individual limits)
first, operating companies should only have access remain relevant. This is particularly important after a
to as much of the system as is necessary for them to change in personnel, to ensure previous permissions
perform their task. Second, any entered data should be are canceled and that limits are set appropriate to new
subject to a reality check, so that data is interrogated hires’ expertise and experience.
on its merits. ■■ The use of outsourced services
Treasurers will also want to be wary when using
Treasurers will be concerned about the activities
spreadsheets, especially when they are used for
outsourced to third parties. These activities include
payments as well as forecasting. Spreadsheets are
investment management, especially the use of specialty
inherently less secure than treasury management
fund managers, and the use of software solutions
and ERP systems. Password protection can make
provided as Software as a Service (SaaS). SaaS has
them more secure, but data can become corrupted
data and systems hosted remotely, so that companies
more easily, both within the spreadsheet and when
must have a dedicated method of communicating to
data has to be entered into the accounting and other
the systems. While some companies choose to host
management software.
their treasury management systems on site, vendors
■■ Communication along the supply chain are seeing increased demand for offsite hosting on the
Supply chain finance solutions represent a significant vendor’s own servers (or outsourced servers managed
risk, due to the widening scope of individuals and under license on the vendor’s behalf). Companies
entities having access to a platform. Although any such can choose to have a dedicated server at the vendor’s
scheme should include proper due diligence before it location, with access via a dedicated line (on a VPN),
becomes operational and before entities are accepted or to share bandwidth and servers via a SaaS solution.
into the program, and should incorporate good levels The use of shared architecture does represent an
of control once in place, the treasurer of the company additional risk which needs to be managed. This risk is
financing the scheme will not have the same audit magnified because of the value of transactions effected
access over the third parties which might be in place through the TMS.
for group liquidity management structures. As well as understanding the data for which the treasury
■■ Communication with banks department is responsible, the treasurer will also need
Although the controls are usually well established and to understand the system infrastructure and workflow,
good, there are risks associated with mobile data, in to minimize the risk of data corruption. Note that some
particular, and banks themselves are constantly being data can feed straight into an ERP system, bypassing
bombarded by hackers. All communications with the treasury management platform. This might include Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 7
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

vendor payments, where the accounts payable system is

run through the ERP system. In all cases, the treasurer
must understand how the treasury management system,
especially the forecasting modules, captures data from
other systems and collates data entered by other group
entities. Without this knowledge, there is a very real risk
that forecasts and actual positions will be inaccurate,
resulting in inefficient decision-making in the treasury
department and in potential loss.

Having a clear understanding of data

A process of establishing the full scope of data for which
the company is responsible is essential in developing
a cybersecurity policy. Without this understanding,
the policy will be too limited in scope and will result
in insufficient protections being implemented. More
importantly, it could result in significant and serious loss,
in the event of the inevitable cyberbreach.

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 8
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Evaluating Cyberrisk
Having identified the full range of data, information and Raj Bector, Partner at Oliver Wyman:
processes which are at risk, and the likely implications “There are a number of different techniques
for the company should that data be corrupted, stolen available to value the data held by the
or lost, the next step is to evaluate the actual value of the company with the results expressed in a
assets and the potential liabilities to the company. number of different ways: for example, as
revenue or shareholder value, or in terms of
Value assets and potential liabilities goodwill. However the calculation is made,
The rationale for companies to identify all the assets they the aim of the valuation is to identify the
hold was discussed in the previous section. Naturally, the core assets which need protection.”
precise nature of these assets will vary significantly from
company to company. The most common variations will not result in the company’s demise, even if it takes some
be a function of corporate structure (where the company time to restore any lost or corrupted data.
operates, where the company makes its decisions – Instead, business critical data is most likely to be
centrally or locally – and the number of countries in intellectual property. Again, this will vary significantly,
which it operates) and the nature of the company’s depending on the nature of the company’s activities:
activities (mining companies will hold different data it could be a pharmaceutical company’s formulae;
from pharmaceuticals, retail companies will hold an automobile maker’s manufacturing processes;
different data from professional services companies). or methodologies, in the case of business services
The next step is to place a value on all these assets and companies. First, the company needs to understand fully
work to understand the extent of any liabilities, should where this business-critical data is located, who has access
a breach occur. It is just as important to understand to it, and how and when it is transferred both within the
the extent of any liabilities should anything go wrong. group and to external parties.
Again, the extent of liabilities will vary quite significantly, The next stage is to try to quantify what would happen
depending on the nature of a company’s activities and after different types of security event. These could
its customers and also the location of those customers. include a simple loss of data (by deletion), a corruption
Insurance premiums to cover cyberrisk are highest in of data (either by accident or on purpose), or the theft
North America, especially the USA, because of the and onward sale or publication of data. Results can range
relatively high level of liability cover required. from a short-term loss of production until activities can
The objective of this process is to be able to set a value recommence, to the production of sub-standard items
for each set of assets at risk so that the team can prioritize as a result of corrupted data (and the need to replace
these goods), to the long-term failure of the company as
its protection spend.1
competitors are able to undercut the company using the
Why value assets? original plans.
The purpose of placing a value on assets is to try The next stage is to try to value these assets, so that a
to identify the business-critical data. This will not clear view of the most valuable assets can be developed.
necessarily be core financial data or management The treasurer’s expertise here is crucial, given the
information, especially in a publicly listed company. importance of valuing financial assets from a treasury
Although access to this data may give competitors an perspective. Note that the valuation processes should
insight into the company’s operations (and give them an consider both immediate losses and any consequent
advantage when bidding for new contracts), it should loss of sales and future sales. This can be difficult to

1. This value-based approach is explored in a paper written by David X Martin and Raj Bector of Oliver Wyman. It can be found here: Return
www.olive‑wyman.com/insights/publications/2014/jul/a-new-approach-to-cybersecurity.html. to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 9
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

determine, partly because the consequential loss is easily identified, such as a result of the introduction of
difficult to evaluate. malware via the opening of a phishing email. However,
The treasurer has to identify the best way to value the in the case of a sophisticated attack from a third party,
assets to the company as a whole. There are a number of it may be much more difficult and time-consuming
choices: to identify the source of the breach and the extent
■■ Value assets by the revenue they contribute to the of the damage. Where data is corrupted or deleted,
company as a whole. there will be the cost of examining remaining data for
■■ Value assets by their contribution to overall
completeness and accuracy, and the cost of restoring or
shareholder value. re-creating the data.
■■ Value assets, at least in part, by their contribution to
Using the analysis outlined in the previous section,
goodwill. companies need to assess what could happen in the event
■■ Value assets from an opportunity cost perspective by
of a data breach. The most commonly reported breaches
calculating the resource required to replace or repair are associated with the sale or publication of stolen credit
any lost or corrupted data. card details and other personal information. Depending
The primary objective of this exercise is to be able on the circumstances, these can be high-profile events,
to prioritize the assets which need protection. It will especially if the affected company is a household name.
also provide additional information to the group’s The reputation risk associated with such a breach will
management if the process highlights some errors in be magnified by the nature of customers’ data held. The
assumptions underpinning corporate strategy, especially
loss of credit card data can be compounded by the loss of
if it leads to surprising results.
more personal information, such as medical histories.
Why calculate potential liabilities? There are major costs associated with serious data
As well as getting a better understanding of the value breaches such as these, in addition to any internal
of core assets, companies also need to identify the management cost. These costs can include regulatory
costs which may arise after a cybersecurity breach so a fines and a requirement to pay compensation. In some
company can decide how best to cover such an event. cases, affected individuals may take legal action and, if
In the event of any security breach, there will be successful, may be awarded significant damages.
a degree of additional cost. Companies will want to As with the valuation exercise, the object is to identify
find out what has happened and to identify, where the potential costs associated with a breach, so that a
possible, what actions to take to prevent a similar company can decide how best to manage the risk of
event. This may be straightforward if the source can be such events.

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 10
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Managing Cyberrisk
Once the company has valued its assets and identified is necessary. Realistically, all assets cannot be protected,
potential liabilities at risk in the event of a breach, except in very special circumstances. Companies need
the final step is to manage these risks. The primary to ask themselves whether it really matters if a database
assumptions are that it is impossible to protect all assets of backed-up financial records is accessed, or whether it
at all times, and that all organizations will be subject is more important to protect fundamental intellectual
to attacks at some point. These assumptions imply property and customers’ personal and sensitive data.
that some attacks will be successful. So, when setting Most companies will need to choose to protect the assets
a cyberrisk management policy, there should be three they value the most (or the assets which if lost or made
components: ensure the important data is protected; public, could give rise to the greatest level of liability).
insure liabilities where appropriate; and put a response From a treasury perspective, this means allowing
policy in place, to be activated in the event of breach. innovation which improves internal efficiency via
the efficient sharing of data, the centralization of
The art of the possible decision-making and the straight-through processing
It would be a mistake simply to try to identify pressure of information, while recognizing that these very
points in the company’s systems and then build a innovations expose companies to cyberrisk much more
series of firewalls and other technologies to protect the than ever was the case. For instance, the electronic
system. In today’s interconnected world, companies banking communication system is no longer a
need to be able to communicate with group entities standalone terminal behind a locked door. Today,
around the world: banks, suppliers and customers, as electronic banking solutions are theoretically accessible
well as other third parties such as software vendors. from any computer with internet access – effectively not
The implementation of restrictions on communication just the installed computers in the treasury group office,
might prevent some of the most serious attacks, but it but also the tablet computers and cell phones used by
may also act to restrict necessary communications. Too employees during working hours and at home.
many barriers in any area will result in inefficiency and
lost sales. Protect the most valuable assets
Any cybersecurity strategy represents a compromise Given this approach, the company should aim to
between the need to have open communications with prioritize any spend on protecting the most valuable
third parties, and the ability to prevent cyberbreaches. assets. Given the expectation that all organizations
As with any corporate decision, the line between these will be subject to attack and that a breach is likely, it
two conflicting requirements can be drawn using a is usually not possible to cover every potential area of
cost-benefit analysis. The exercise in the previous section breach sufficiently, while retaining the ability to continue
should help companies develop a clearer understanding to do business. The cost of trying to protect all elements
of the costs, or opportunity costs, of a security breach. is likely to be both too expensive and too resource
The challenge in this final stage is to identify solutions to intensive, in terms of overbearing controls.
manage the risk, the costs of which reflect the potential The objective therefore should be to focus time,
risk to the company. As a result, companies have to resource and cash on protecting the most business-
decide whether to accept the risk, and then manage it, sensitive data.
or to transfer the risk, typically by the purchase of some
form of insurance. Audit
However, it is important to reflect on the much wider Most companies will have some measures already in
definition of data at risk indicated in the earlier section place to protect sensitive data. An audit of existing
to try to prioritize where any investment in protection processes will identify any weaknesses and gaps. In Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 11
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

addition, the exercises illustrated in the earlier parts of relevant to the data being shared so that, for example,
this guide may identify a number of areas where there is controls on the sharing of intellectual property or
limited or no protection in place. the transmission of payments will be different from
Where appropriate measures are in place, the company those covering email. Controls must also be consistent
will also need to determine whether they are being across the organization, with some policies adopted
followed consistently, whether there are any gaps in these group wide. If one staff member opens a phishing
processes, and whether any systems should be upgraded email, this can result in data corruption across the
or controls tightened. whole organization.
Controls Scope of information security controls
Controls should aim to limit access to specific data and ISO 27002 is an international standard describing
systems. The risk of breach increases with the volume of best practice in terms of the use of controls to manage
individuals who have access to that information. information security. The standard sets out a series of
A key principle in managing cybersecurity is that controls which good practice suggests companies should
data should only be shared on a need-to-know basis. follow. These include:
This can be difficult to determine, but it is possible to ■■ Organization of information security
restrict access to specific data to individuals in-house
The security policy should have clear protocols for
and by entity when information is shared outside the
the segregation of duties, and controls for the use of
group or group headquarters. For example, a technology
mobile/portable devices and for remote working.
company manufacturing in China will only give enough
information to the outsourced supplier to ensure it ■■ Human resources security
can fulfill the contract. This might simply be enough The security policy should start before a new employee
information to assemble the detailed component parts, joins an organization with, for example, references
without any detail regarding how to manufacture being taken up. All new and current employees should
the underlying instrument. The company will not receive regular and relevant training. On cessation of
unnecessarily provide any information regarding any employment, credentials should be canceled and other
other element, such as the design, which represents security measures, such as passwords, changed.
a much more detailed risk to the company. Here the ■■ Information asset management
company values the IP surrounding the design much
Wherever possible, named individuals should have
more than the IP surrounding the assembly.
responsibility for managing data assets. There should
Raj Bector, Oliver Wyman: be clear policies on how data is handled.
‘Information should be shared on a need-to- ■■ Access to information
know basis. Generally when information is
The security policy should manage access to as
being disseminated internally, it is appropriate
much information as possible. Access should be
to designate controls by individual. When
determined by business requirements: suppliers
information is being disseminated up and
should only be given sufficient information to
down the supply chain, it is appropriate to
deliver their contracts. Within the organization,
designate controls by entity.’
access rights and responsibilities should be given
There also needs to be clearer definitions of when to individuals according to their role and expertise.
information is shared outside the organization and When someone leaves, their responsibilities should
how this information is disseminated. Controls should not be automatically transferred to someone else.
be in place covering the sending of data both within Systems should be used to manage these access rights
and outside the organization. These controls should be wherever possible. Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 12
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

■■ Encryption and authentication obligations, and processes should be in place to

The security policy should set out when data should be ensure compliance. For example, this will include
encrypted and how information can be authenticated the obligation to protect any third party’s intellectual
via the use of digital signatures and certificates. property and to register with any relevant regulators.
■■ Physical control of systems and use of devices ■■ Audit and management reporting
Access to systems should be controlled within Finally, there should be a regular audit of the
buildings so that, for example, visitors are not able company’s security systems.
to enter facilities without being accompanied. There
should be some physical backup of data and systems in Processes
the event of a fire or other such event. The next stage in the protection of data is to assess
whether any existing processes or procedures need
■■ Operational management
to be changed. Companies will want to review the
There should be a series of policies and procedures
following activities:
covering the operational issues. These should cover ■■ capture of data (e.g. credit card data);

—— training over risks from malware (these might cover ■■ storage of data (e.g. latest protocols);

how to recognize phishing emails, and whether ■■ communications with banks;

independent storage systems such as USB pen drives ■■ communications with internal group companies,

can be used); especially those in other countries; and

—— how and when backups should be made and how ■■ communications with other third parties (e.g. software

they should be stored; vendors, suppliers, customers).

—— how individual activities can be audited, including
Before making any decisions, the treasurer should help to
the use of log-ons/offs: assess the costs and benefits of making any changes.
—— how faults should be dealt with;

—— who has responsibility for updating software; and

Core treasury controls
—— how administrators’ rights and activities should be There are a number of controls which treasurers should
controlled and monitored. have in place within their departments.
■■ Network security and controls ■■ Make sure inbound and outbound data flows
There should be a clear policy on how data should are free from tampering
be transferred to third parties. This should include When adopting a new technology solution,
the implementation of non-disclosure agreements or security is an important consideration. External
contracts before any data is transferred to suppliers or communications have developed very fast over recent
other third parties. years. All treasury management systems produce
tamper-proof XML messages with the use of digital
■■ Responsibilities after a security event
signatures and encryption.
These should be set out clearly so that named
individuals know how to respond when a security Paul Bramwell, SVP, Treasury solutions,
event takes place. SunGard’s corporate liquidity business:
“The real challenge for corporate treasurers is
■■ Business continuity plans
to understand the workflows built within their
Cybersecurity should be part of a group-wide business
system and to use them as much as possible.
continuity plan.
This means knowing the formats in which files
■■ Compliance with legal and contractual are prepared, how to ensure messages have
obligations not been tampered with and who has access
The policy should recognize any legal and contractual to the detail within the messages.” Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 13
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

■■ Ensure appropriate segregation of duties Brian Welch, Director at the UserCare

Ultimately the key is to implement an appropriate Treasury Consultancy:
segregation of duties, with individuals only “There are three keys to managing cyberrisk
authorized to act up to levels determined by their when processing payments. First, implement
own competence. Most systems have multiple ways the security controls suggested by your
to guarantee a segregation of duties. A security map banks and technology vendors. Second,
will show who has access to particular information. regulations including the US UCC4A and the
Systems can also tier workflow approvals, depending Payment Services Directive provide a degree
on the size and complexity of a deal. of protection should things go wrong. Third,
However, in small (or shrinking) departments, this identify as quickly as possible if a payment
can be difficult to achieve. It may be necessary to goes astray. A missing large payment will be
pull people in from elsewhere to support segregation identified quickly. Smaller ones should be
such that payments or investment deals are routed picked up in the reconciliation process.”
through the CFO. However, this only works if the
additional personnel understand the processes. It is
Using mobile technology to manage
useless and represents an additional risk if individuals
treasury activities
asked to approve decisions are not sufficiently aware
There is increasing interest in mobile technology
of the underlying processes. A key risk is that systems
to manage treasury activities. Some applications
administrators also make payments because of
are fine but they are, by design, limited. As with
inadequate segregation of duties.
other activities, the protocols for the use of mobile
■■ Reconcile activities regularly and frequently technology within the organization and within the
It is not always possible to reconcile all payments every department need to be clearly established.
day. However, weekly reconciliations should pick up There are a number of key questions which need
big errors very easily. to be addressed:
■■ What happens if supporting data or
■■ Manage outsourcing arrangements effectively
documentation is required to make a decision?
Activities can be outsourced to third parties, but this
It may be appropriate to acknowledge receipt of
works best when it is processing of relatively manual
request for the approval of a transaction and then
activities which is outsourced. Treasury participation
return to office to determine the approval.
is primarily when the parameters of the outsourcing
■■ Are mobile technologies secure? It is vital that
agreement are set and then to manage exceptions once
devices cannot be compromised if they are to be
the system is operation.
used to communicate key decisions. For example,
Ultimately, treasurers need to implement the controls it may be appropriate to use a mobile device if the
suggested by their banks and treasury technology treasurer is onsite but in meetings and connected
suppliers. In the USA, UCC4A states that if a company to the virtual private network. The use of public
follows a bank’s requirements and there is a loss, then the wi-fi is much less secure.
bank has to take responsibility. In Europe, the Payment ■■ What happens if people lose their phone? What
Services Directive contains similar conditions, although data is held on the machine? Are credentials held
it is less beneficial for companies. on the machine?

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 14
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Review the cost of notifying the appropriate authorities and

As part of the ongoing cyberrisk management strategy, third parties, and costs associated with public relations
the company should regularly review all processes and communications management. This may include the
for effectiveness and make sure they are audited for cost of appointing legal representation to communicate
compliance. with regulators, or advisors to help navigate regulatory
There should be a committee or group responsible to compliance. For example, there are US federal and state
the board for the management of cyberrisk. It needs to laws requiring certain actions in the event of a breach.
be tasked with continuous improvement, as the nature In California, the breach notification statute requires an
and extent of cyberrisk changes with time. affected company to inform people of a data breach and
to make an offer of compensation. Finally, some policies
Manage the remainder may also provide cover for a loss of income and increased
operating expenses in the event of a technology failure.
The purchase of cyberinsurance has increased over
In terms of third-party costs, insurance can cover a
recent years. Insurers have seen significant increases in
wide range of liabilities. Typically, liability coverage is
the number of companies reviewing cyberinsurance, the
limited to providing a defense to any alleged claims
number of new buyers of cyberinsurance and an increase
of harm, and indemnification for damages or loss for
in the volume of coverage being purchased by both.
which the policyholder is legally liable. Cyberinsurance
Before purchasing any insurance, the treasurer
provides typical liability coverage, but cover needs to go
should help the company understand what insurance
beyond this, to capture expenses that are not directly
is already in place, and carry out coverage gap analysis.
tied to a claim or are incurred prior to the allegation of a
If the company does not have an enterprise-wide risk claim. Such expenses can include privacy liability (which
management committee, the cybersecurity committee can be significant in the case of data which identifies
needs to identify who else manages risk. The key is to individuals) and the costs of any regulatory fines and
communicate effectively across departments. victim compensation, any data breach arising as a result
With knowledge of where coverage gaps are, of the affected party’s data breach (e.g. compromise of
companies can then identify where they might want a supply chain database which includes supplier details
to purchase insurance. As with other insurance, the as a result of a virus affecting network security), and
purchase of cyberinsurance is essentially a cost-benefit other liabilities. Where a breach occurs at an outsourced
decision. The valuations described in the previous section partner (e.g. data is lost by a Cloud vendor), the policy
can be used to determine whether the cost of premiums will respond as if the breach had taken place at the
is appropriate for the value of assets and cost of liabilities policy-holder’s premises.
being protected.
Robert Parisi, FINPRO Cyber & Technology
How can insurance help? Product Lead, Marsh:
Insurance can provide protection against a number “You can manage risks in a number of ways:
of cyber-related events, both first-party costs (those by policy and procedures, through the use
incurred by the affected party directly) and third-party of technology and by purchasing insurance.
costs (liabilities arising from the impact on customers Insurance is for that residual risk where
and suppliers of the affected party). additional policy or procedures would not
In terms of first-party costs, insurance can provide prevent or mitigate the risks.”
cover for the cost of re-creating data and restoring
systems to a serviceable state. It can also cover the cost of How is cyberrisk insurance underwritten?
responding to a cyber event. These costs can include the Although there has been a significant increase in
cost of identifying the source and extent of the breach, underwriting scrutiny of cyber policies over recent Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 15
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

years, the model remains fairly rudimentary, with only a occur, so prudent planning requires a policy and set of
relatively small number of counterparties. procedures to be in place.
Before entering into an insurance contract, the
Crisis response plan
underwriters will want to make an assessment of
As discussed, it remains likely that all companies will
the company’s cyberrisk management policies and
experience a cybersecurity breach at some point in the
procedures. The underwriters will spend some time
future, although the costs to affected companies will
assessing the controls in place at the company. The
vary significantly.
assessment focuses on the cybersecurity from a
The purpose of a crisis response plan is to minimize
governance or policy and procedure perspective, rather
the impact of a breach, in both the short and long term.
than an investigation or verification of implementation.
Despite this, many companies have yet to adopt even
The company will be required to maintain a similar
a basic crisis response plan. The 2015 AFP Risk Survey
or equivalent level of these controls, taking into
found that 60% of companies do ‘not have a clear,
consideration the changing and evolving threat
documented mechanism to respond to a cyberbreach
environment. At this stage, most companies have
event’. Although the development of a plan will be specific
appropriate controls; few are outstanding across all areas,
to each organization, frameworks are available from a
and few are weak across the board.
number of institutions, including the National Institute of
In particularly, underwriters and regulators will want
Standards and Technology (NIST) and the International
controls to cover the encryption of data, especially
Organization for Standardization (ISO, see page 12).
sensitive financial data in flight, data on mobile and
These could be used as a basis for a new plan. Each crisis
portable devices, and on backup systems. Policies should
response plan should include the following elements:
be clearly defined, with individuals clearly responsible for
■■ Adopt a crisis plan
specific actions. These policies should be supported by
Having even a rudimentary crisis response plan will
regular training of both current and new employees.
help the company adopt a more coordinated approach.
Underwriters may help with the quantification process
Where companies have crisis response plans, they
described in the previous section, and will be able to
are often integrated into their disaster recovery and
explain some of the potential liabilities in the event of
business continuity plans.
loss. From the company’s perspective, the purpose should
be to try to understand what coverage is in place already, ■■ Manage communications
if any, how much additional coverage is required, and Once a cybersecurity breach has been discovered,
whether the premium is aligned with the risk. Although the company needs to manage its communications,
coverage applies globally, the location where most both internally and externally (including with
business is done (and therefore whose data is held and law enforcement agencies and regulators). The
what regulations are most likely to come into play in the crisis response plan should state individual
event of a breach) will make a significant difference in responsibilities for managing communications and
the level of the premium. determine what information is shared. It should
also set out, step by step, who should be called, and
Policy in the event of breach when. It should state clearly which organization
The final element of any cybersecurity policy is to should be called first: this could be law enforcement
determine how to react in the event of breach. It is likely or another government authority.
that a company will be subject to some form of attack at ■■ Analyze the breach
some point during the year. The measures in place above —— How was the event uncovered?
should help to minimize the risk that any attacks will —— Who and what caused the breach?
result in breach. However, it is possible that a breach will —— How long has it been operational? Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 16
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

—— How has data been affected? Has data been longer-term consequences: law suits, fines, reputational
corrupted, stolen or lost? If so, whose data has impact and loss of income. It is important to understand
been affected? the role of business continuity plans. Enterprise risk
—— How does the data breach affect the ongoing management requires the company to understand its
operations of the business? Can business operations risk appetite and to take appropriate action to either
continue as normal? accept or transfer the risk, or to change behavior.
■■ Manage the immediate consequences Business continuity plans should be designed to help
Relationships with affected customers, suppliers and the company plan for, and respond to, incidents and
other parties need to be managed. business disruptions, so that the company can continue
Regulatory requirements must be met. This may to operate at a predetermined level. Within this level of
involve the payment of compensation. planning, disaster recovery plans help companies recover
The company may also need to manage public immediately and have access to critical infrastructure
relations, if the breach is high-profile. in the short-term. Insurance may compensate for some
of the costs associated with such events, but it cannot
■■ Improve
ensure operational continuity.
The company must have a process which allows
it to learn from its mistakes. This may involve Martin Eggleton, Director, Moas Consulting Ltd:
implementing additional training. “The key to a successful business continuity
■■ Review plan is to overcome complacency. This
Finally, the company should regularly review and test means understanding the gaps between
its crisis response plan. what the management thinks they have,
what the company actually has and what
The crisis response strategy needs to sit within a broader
they need.”
business continuity plan. This will deal with the

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 17
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Conclusion
As the question of how best to manage cybersecurity Once the company has a clear view of the data it
advances up the corporate agenda, treasurers can play holds, the next step is to value this data and assess the
a valuable role in helping to prioritize their company’s potential liabilities in the event of loss.
responses. With an understanding of the most valuable pieces of
This guide has outlined a three-stage approach to data, the final stage is to establish a security management
implementing a cybersecurity management policy. The policy. This should involve putting in place systems
first step is to work to understand the nature of the data and controls to protect the most valuable assets and
which is at risk. This requires companies to understand using insurance to protect the company against the
where cyberthreats are most likely to come from: fraud consequences of data loss or corruption. Finally,
and error perpetrated by current employees remain the companies should expect data breaches from time to
most common source of threat. Companies also need to time. Companies should have a crisis response plan to
understand fully the scope of data and information they help minimize the impact of any data breaches.
hold, and how any compromise of security may lead to
financial loss.

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 18
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Checklist for Identifying Assets

All organizations hold a range of data. This checklist is future of the business. In some industries, the loss
designed to help the cybersecurity management team of IP can also result in additional security problems,
identify the full range of assets to be valued and how whether a hardware basis (such as in the military
any loss or corruption of that data could affect the goods industry) or a software basis, where the lost IP
organization. Note that the precise nature of assets will is in the form of code.
vary by industry and business, and certain assets will be
■■ Negotiating positions
more important in some industries than others.
If a company’s negotiating positions before or during
Internal assets a tender or renewal process are disclosed, other
parties can benefit to the detriment of the company.
■■ Human resources records
Third parties may be able to undercut a tender
Companies have to hold a significant amount of
price. A company awarding a contract may be able
highly sensitive human resources records. This
to negotiate down to the other company’s red lines,
can include personal information, including
reducing its profitability.
health records and performance information.
Loss of human resources can result in significant ■■ Strategy documents
embarrassment for the company and the The leak of strategy documents can help third
requirement to pay restorative damages. parties to counter and even anticipate key future
developments by the company. For example, a third
■■ Customer data
party may bring a product launch forward to disrupt
All companies hold a degree of customer data, the
marketing plans, it may purchase real estate or open a
nature of which is determined by the type of industry
new outlet in an area it becomes aware is of interest to
in which the company operates. Companies in the
retail industry are more likely to hold individuals’ the other company, or it may enter into negotiations
credit card and other personal data (such as addresses). with target acquisitions to disrupt future expansion of
Some companies may hold more personal data, such as the third party.
medical records, on behalf of their customers. Others ■■ Internal email and other messages
may hold their customers’ intellectual property, if they Much of the above information needs to be shared by
produce product on a subcontracted basis. Others may different parties within the organization. For example,
hold data of a classified nature, if they are a supplier much of the group’s intellectual property will need
to a government, for example. In each case, there are to be shared between research and development and
potentially serious consequences in the event of a the group’s various production facilities. Negotiating
security breach, not least to the company’s reputation positions will be shared with the negotiating team
and, therefore, its ability to do repeat business. as well as senior figures within the organization. The
■■ Intellectual property transmission of this information between interested
One of a company’s core data sets is its intellectual parties is a separate cyberrisk, as there is the risk of
property. This varies according to the nature of the information being shared outside the approved group
company’s activities, but is likely to include formulae, or of messages being lost or corrupted. One of the big
blueprints, production processes and techniques, challenges is to ensure messages are noted, understood
and methodologies. The very real risk here is that and, where necessary, acted upon by the required
any acquisition of this data by competitors will recipients. Delays in the receipt of messages (perhaps
allow them to erode any competitive advantage the when a key player is out of the office visiting group
company might have, threatening the long-term locations around the world) can result in problems. Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 19
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

Treasury-specific assets group treasury holds a bank account for the group as a
■■ Financial positions
whole, making disbursements and collecting payments
Companies hold a lot of sensitive financial positions, on behalf of all group entities. In this scenario, group
including payment records, bank account information entities communicate with the group treasury directly,
and tax information. Companies rely on this submitting transaction information for the treasury
information to manage their businesses efficiently and (or payment and collection factory) to process on their
to ensure cash is available to business units to fund behalf. Any disruption to this communication can
activities, including expansion. The loss or corruption have significant consequences for the group as a whole.
of this data can make decision-making more difficult
until the data can be restored in a verifiably accurate External
way. Second, some financial information can be Companies also have to be aware of the risk to data held
embarrassing when made public. For example, recent outside or sent outside the company. The primary risks
allegations of multinational corporations taking include:
advantage of tax-efficient structures to minimize their ■■ Intellectual property
liability to corporation tax have been well publicized Some companies will need to hold intellectual
and have caused some reputational damage to the property owned by the company. For example, where
companies concerned. Although the amount of tax activities are outsourced to a supplier, there must be a
paid is a matter of public record, the calculations and degree of information-sharing along the supply chain.
filings on which they are based is not. Understanding the limit of what needs to be shared
■■ Payment initiations and approvals helps to reduce exposure to cyberrisk in an outsourced
All companies must have processes to initiate and contract.
approve payment instructions. The use of technology ■■ Outsourced processes
and the centralization of decision-making together
Other outsourced processes can also be subject to
mean that increasingly these activities are performed
cyberrisk. Ideally, activities will be outsourced on a
electronically. This requires communications, often
service-level basis, such that the outsourcing partner
via the internet, and may include remote access for
will be able to operate within pre-agreed parameters.
individuals to approve payments. The risk is that
these protocols are breached, allowing payments to ■■ Data stored remotely and in the Cloud
be approved by non-authorized individuals or to be After some high-profile examples of data stored in the
changed before the instructions are submitted to the Cloud being stolen or illegally accessed, companies will
bank. In addition, there is a risk that reconciliations be concerned over the security of their data held outside
may also be affected through a similar breach, the their firewalls. Areas to be concerned include any
primary risk being that a fraudulent transaction is remote backup of corporate systems. It is prudent to
falsely reconciled and therefore not identified during have a remote backup for business continuity purposes.
regular audit activity. However, the company will want to ensure that the
location of the stored data is secure and that the method
■■ In-house treasury structures
of transmitting data to this location is similarly secure.
Any in-house treasury structures rely on the
communication of data between group entities. In ■■ Payments
most cases, the structures are operated by banks Companies are also sensitive about the security of
which hold bank accounts in the name of different payment instructions to both banks and suppliers.
group entities. However, it is possible for companies This will range from ensuring the authenticity of
to operate in-house banking structures where the payment instructions, encrypting data in flight, and
Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 20
 CTC GUIDE: Cybersecurity: Setting a Cyberrisk Management Strategy

ensuring that settlement instructions are accurate ■■ Supply chain

and have not been compromised. Because of the Finally, in today’s environment, there is a much
speed of payment message transmission and the use greater degree of information-sharing along supply
of encryption, the risk of payment interception is less chains. From a sales perspective, it makes sense to
likely to cause loss than payment fraud. Companies share information with a view to reducing uncertainty
should have appropriate reconciliation processes in and therefore cost along the supply chain, allowing
place as an additional check. greater flexibility when setting the final price and
■■ Misdirected communications providing for greater scope to compete in the market
One of the easiest mistakes to make when sending place. From a financing perspective, it makes sense for
email and other messages is to misdirect them, creditworthy companies to use their access to credit
either by the use of inaccurate addresses or by to finance suppliers and, in some cases, customers.
copying in third parties. This can result in the loss All these developments mean it is important to share
of intellectual property, and other events illustrated information along the supply chain. Companies need
above. Forwarding email messages can also result in to ensure they only allow suppliers and customers
data being inadvertently submitted to third parties. access to the information they need to know. For
There are additional risks associated with the use financing solutions, companies need to be able to
of smartphones which can anticipate recipients, for restrict access to ensure only individuals authorized
example, and allow messages to be sent with minimal to access platforms are able to do so, and that data
user involvement. entered can be authenticated.

Return
to
Contents
www.AFPonline.org ©2015 Association for Financial Professionals, Inc. All Rights Reserved 21
About the Author

WWCP Limited

WWCP’s team of financial researchers, journalists and authors

provides its WorldWideCountryProfiles service to banks,
financial institutions and professional bodies. Purchasers
use the individual country profiles, which are researched
and written to their specification, for their customers and
prospects, sales literature, their intranet and extranet sites and
sales training. WWCP researches over 190 countries.

WWCP researches, authors and publishes authoritative

Treasury Managers’ Handbooks for: Africa; the Americas (five
editions); Asia/Pacific & Australasia; Central & Eastern Europe;
Europe (five editions); Middle East and Scandinavia/Nordic/
Baltic countries.

Publications also include a number of definitive WWCP

authored treasury guides: Best Practice and Terminology; with
The ACT, Investing Cash Globally (four editions), International
Cash Management and Trade Finance; and, with AFP, Treasury
Technology and a series of treasury guides.

www.worldwidecountryprofiles.com  www.wwcp.net

Return
to
Contents
Corporate Treasurers Council
The Corporate Treasurers Council is the executive-level membership of AFP. The CTC features
tailor-made products, events and exclusive networking opportunities all year long for treasury and
finance executives that address the latest industry insights, trends and best practices and will provide
guidance, practical tools and the validation needed to move forward in making critical decisions.
When you join AFP and have the title of corporate treasurer, assistant treasurer, chief financial
officer, vice president of finance or controller, you are automatically enrolled in the Corporate
Treasurers Council (CTC) and have access to CTC products and events.
For more information go to www.corporatetreasurers.org

About the Association for Financial Professionals

Headquartered outside Washington, D.C., the Association for Financial Professionals (AFP) is the
professional society that represents finance executives globally. AFP established and administers the
Certified Treasury ProfessionalTM and Certified Corporate FP&A ProfessionalTM credentials, which
set standards of excellence in finance. The quarterly AFP Corporate Cash IndicatorsTM serve as a
bellwether of economic growth. The AFP Annual Conference is the largest networking event for
corporate finance professionals in the world.

AFP, Association for Financial Professionals, Certified Treasury Professional, and Certified Corporate
Financial Planning & Analysis Professional are registered trademarks of the Association for Financial
Professionals.© 2015 Association for Financial Professionals, Inc. All Rights Reserved.

General Inquiries AFP@AFPonline.org

Web Site www.AFPonline.org
Phone +1 301.907.2862

Return
to
Contents