Cybersecurity: a robust response to the challenge

The modern world abounds with fast-growing opportunities for digital innovation. Businesses, governments and individuals have focused on its major benefits. Creating new markets and new products, better understanding of consumers or citizens and finding different ways of connecting with them – all offer enormous potential. This is part of the digital world; often referred to as “digitalisation” or the “Fourth Industrial Revolution (Industry 4.0)”.

Unfortunately, in the rush many precautions have been overlooked and risks underestimated. The realisation that there is a flip side, and the digital world also offers great potential for exploitation by criminals and other undesirables has come too late. In addition, complex, unintended consequences from the interconnectivity between people, organisations and “things” are starting to emerge.

Cybersecurity has to be considered as among the most important factors when assessing the overall risk exposure of today’s automated and digitalised operations. The growing complexity of technical solutions further increases the challenges of keeping each IT landscape secure. Additionally, cybercrime offers big money to attackers with a relatively low risk of being caught.

All this has a significant impact on companies, their treasury departments and systems. As treasury has responsibility for cash and liquidity management, payments and dealing with financial instruments it offers an obvious target for cybercriminals, who typically focus on the following:

Static data: Changing standing settlement instructions (SSIs) counterparty banks to initiate fraudulent actions.
Transactional flows: Directly initiating payments or executing deals via electronic trading platforms and accessing online banking tools or SWIFT Access (as seen in last February’s attack on Bangladesh’s central bank via SWIFT).

Consequently, cyber-risk must be considered and treated in all phases of a treasury system’s value chain and lifecycle like design, developing, testing, operating and decommissioning.

Based on experience and analysis of the current cyber threat landscape, EY identified the following trends:

• Cyberattacks have grown significantly in sophistication, persistence (on average attacks stay undetected for about 200 days according to the latest Federal Office for Information Security in Germany (BSI) study ‘The State of IT Security in Germany 2015’ and volume over the past years; a trend expected to continue.
• Attackers have started to focus on business processes – either in addition to or instead of – technical vulnerabilities to reach their goals.

The human factor often plays a vital role in successful cyberattacks – recently demonstrated by successful C-level fraud/’spear-phishing’ attacks, where fake invoices with manipulated bank details purporting to come from a C-level executive are sent to individuals in finance departments. In several cases the invoices were paid, causing significant financial loss.

EY’s ‘Global Information Security Survey 2015’ revealed the following results:

– Thirty-six per cent of companies surveyed say that it is “unlikely” that their organisation would be able to detect a sophisticated attack.
– Fifty-three per cent of organisations say that lack of skilled resources is one of the main obstacles that challenge their information security
– Across almost every cybersecurity process, between 35% and 45% of respondents admit there is “still a lot to improve”
– Nearly two in three organisations lack well-defined and automated “identity and access management programs” meaning the definition and management of access rights and implementation of segregation of duties

These results underline the need for prompt action; particularly when access points are increasing due to new business models, digitalisation and complexity of systems. At the same time, the attack power of cybercriminals is growing and countermeasures – too often treated individually rather than holistically – are unable to keep up with the challenges.

In holistically addressing today’s cybersecurity challenges, a comprehensive assessment that incorporates people, process and technology related aspects is a good starting point.

A popular approach in assessing environments with treasury or other financial systems often combines top-down activities (for example a questionnaire-based assessment) with bottom-up activities (technical verification, such as a red team exercise involving penetration testing).

By following this strategy, the resulting assessment offers feedback on the design effectiveness of a system or system landscape (leveraging a top-down approach – “was the system designed appropriately and is it fit for purpose?”) as well as the operational effectiveness (leveraging a bottom-up approach – “does this system actually work?”).

The approach usually provides a broad range of findings including possible privilege escalation on application as well as the database and operating system level which enables an attacker to execute fraudulent payments and circumvent segregation of duty principles.

Case study

As part of a holistic cybersecurity assessment an EY client – a major stock market-listed corporate -asked for their treasury IT landscape to be targeted. By leveraging several attack scenarios in the heart of the organisation’s treasury management system (TMS) which exploited known vulnerabilities, but also related systems and applications (including SWIFT connectivity and electronic trading platforms), the assessment team achieved the following:

• Accessing the majority of treasury application accounts (including administrator and super user accounts), which allowed to compromise the segregation of duty principle,
• Accessing the technical data base account of the TMS, which allowed not only direct raw access to system data, but also resulted in arbitrary access to online banking tools and bank accounts.
• Accessing the encryption keys used by the TMS to sign and encrypt orders, which allowed compromising of the confidentiality and integrity of order transfers (including payments, FX and interest rate deal confirmations).

The system reviewed – embedded in a wider treasury technology landscape and including SWIFT connectivity, deal confirmation matching and online banking tools – can be described as a “state-of-the-art”, fully-fledged TMS from a well-known vendor. It incorporates a range of security features, such as automated segregation of duties and logging.

The “attack” proved successful not due to any single technical-driven vulnerability but a combination of weaknesses. These ultimately allowed a chained-exploitation of the TMS and related interfaces, culminating in access to sensitive data and privileges compromising confidentiality and the integrity of financial data – not only static data such as standard settlement instructions, but also transactional data such as bank account balances, payments and FX transactions.

Lessons learned

The various assessments led to the following recommendations, which are essential for an adequate cybersecurity posture in a treasury environment:

• Use strong passwords for all accounts and enforce password policy.
• Ensure adequate segregation of duties.
• Optimise the technical security of systems (e.g. system hardening).
• Ensure secure storage of encryption keys.
• Use strong encryption for transmission channel between the TMS and its related systems/applications and other endpoints such as financial service providers and clients.
• Ensure the security of all involved systems in the access path – from workstations accessing the treasury system to other systems in the same domain as the TMS and its related systems and applications.
• Regularly carry out security assessments and penetration testing of all critical components.

A modern TMS should not be treated and protected as just a single system but as part of a complex network with many interconnections. A robust cybersecurity strategy not only addresses technical and organisational aspects within the company, but also the interfaces to partners, financial service providers and clients.

In concrete terms, this means the strategy cannot focus solely on making the lives of cyberattackers as difficult as possible, it should also focus on detecting attacks as soon as possible. This means companies – and in particular treasury organisations – isolate any irregularities in their standard processes. This has implications on the organisational and operational setup, as the following action plan is recommended:

• Apply the four eyes principal (i.e. two individuals approve an action before it is taken) or even the six eyes principal.
• Check TMS audit trail extracts regularly.
• Update the guiding principles of treasury policy regularly.
• Check user access to TMS and related systems/applications – especially when personnel in treasury and related areas with access to treasury-based technology leave the firm.
• Consult regularly with IT; especially when the organisation has outsourced treasury IT support to a third party.

Conclusion

It is no longer a question of if a company will be successfully attacked, but when and how significant an attack will be.

Successful attacks underline the need to be aware that cybersecurity is not only an IT but also a people matter. Having a reliant TMS in place is insufficient as attacks often come from inside the organisation; either official internal parties like employees or contractors/external hackers who gain access to the internal network. Treasurer should ensure there is a solid internal control framework and follow clear segregation of duties. As the latter can be challenging – especially for smaller treasury organisations – it’s sensible to liaise with back office or the controlling department to ensure that tasks are reasonably segregated.

However, the internal control framework should not be limited to standard treasury operations such as payments or FX transactions. It is crucial to also consider back-end processes and also challenge controls as well as user rights of system administrators and superusers. Should treasury be in the process of evaluating a new TMS, cybersecurity should be a prominent agenda item. As mentioned, often the interfaces are critical and influence the decision towards either a highly integrated solution or a “best of breed” strategy; picking a different system for each functionality connected with interfaces.

Ultimately the whole organisation should be viewed in the “cyber” dimension and every area – including treasury as an incremental and sensitive part – need to be considered.

378 views

Related reading