“For the treasury function, what is scariest is the changing nature of cyberattacks,” says Alec Ross, author and senior advisor for innovation to recently-declared US presidential candidate Hillary Clinton, speaking Thursday at the EuroFinance International Cash & Treasury Management Conference in Miami.
Ross notes that cyberattacks are classified in three ways:
- Availability: The most obvious form of cyberattack; this makes it impossible for people to access a company’s website. Distributed denial-of-service (DDoS) attacks come within this category.
- Confidentiality: These attacks have plagued the treasury function more than any over the years. This is when an attacker gets inside a company’s network and extracts account information, personal data and other details.
- Integrity: These are attacks in which a hacker infiltrates a company’s system and actually manipulates the data.
An integrity attack is the most malignant form of cyberattack. For example, a hacker could get inside a bank and effectively manipulate the account holdings of every person or business in the system, thereby wiping out the ability to determine how much money each client has in their account.
Most treasury departments have not yet experienced these attacks, but Ross expects that is going to change. He sees those that have so far been spared falling victim over the next two or three years.
Ross notes that the 2012 cyberattack against Saudi Aramco, the world’s biggest corporate by market capitalisation, was an integrity attack. This attack resulted in the Saudi Arabian oil and gas giant being forced to write off its 30,000 computers and coming close to taking its oil rigs offline. The attack “essentially wiped out all of the data infrastructure at the world’s largest company,” explains Ross.
What Treasurers Can Do
Ross advises treasury departments to take action now to prepare themselves for these looming attacks. Four basic steps they can take are as follows:
- Get some cyber expertise on the board: The board of directors at every company should have at least one individual who really understands cybersecurity.
- Invest in cyberinsurance: Although it may be expensive, it is important for companies to purchase cyberinsurance to mitigate against financial losses that come from threats.
- Use offline backups: Most data backups at Fortune 500 companies are to the same internet-based systems that would be the source of the original attack. Thus the backups can also be hit. Ross recommends that treasurers have conversations with their chief innovation officers (CIOs) chief technology officers (CTOs) to ensure that the company has invested in offline backups.
- Understand your own cybersecurity: Quite simply, just as a treasurers need adequate financial skills to perform their job functions, they need to be knowledgeable about cybersecurity.
“In the same way in which everyone needs to be able to read a balance sheet, anyone who wants to continue to ascend in their career needs to understand the very basics of cybersecurity,” Ross concludes.
“If you run the treasury inside your company, you cannot just say that the CIO or the CTO is in charge of my data integrity, my system’s integrity and my trading system’s integrity. You need to spend time with that CIO, CTO or outside consultants and become sufficiently conversant in it – so that if there is a problem you can actually add value.”
Europe’s introduction of the General Data Protection Regulation (GDPR) next May will have implications for businesses around the world and US corporates should start getting ready if they haven’t already done so.
The recent NotPetya cyberattack underlined the need for organisations to address their exposure and how to mitigate the risk.
For companies to survive the intense competition, the only way is to make better use of information gathered from the business process.
Accidental data breaches are causing almost as much concern as the steady rise in ransomware attacks, reports insurer Beazley.