The old adage “fool me once” rings especially true for treasury professionals facing the ever-growing risks of fraud and cybersecurity threats. The number of high-profile hacks reported in the media is increasing, and, when you consider that treasury typically handles the largest amounts of cash across an enterprise, as well as highly sensitive financial information, it’s no wonder treasury is on the front line against threats.
Internal fraud is a company’s greatest risk, but external fraud threats continue to grow, and their nature – from impersonation frauds to phishing and system breaches – is constantly changing.
As a first essential step, treasurers must work with IT, internal audit, banks and technology vendors to identify their vulnerabilities, whether in systems, processes, controls or in staff education. Organizational risks – local treasury management or finance functions that lack robust processes, controls and technology may be more vulnerable than a regional or global treasury center, for example – also must be reviewed.
Some of these vulnerabilities, particularly those that are infrastructure-related, cannot be addressed by treasury alone, although treasurers need to remain closely involved and make sure they remain a priority. In many cases, concerns over security and the need to dedicate specialist resources has prompted treasurers, with the support of IT, to outsource the management and hosting of their treasury technology infrastructure to specialist vendors.
Other aspects of fraud prevention remain firmly under treasury control, even if implementation relies on IT or bank support. This may include strengthening internal controls, such as user rights; segregating duties; adding four- and six-eye approvals on both transactions and data, such as counterparty settlement instructions. In addition, treasurers have a major role ensuring that employees have sufficient awareness and training in both company ethics and the changing external threats.
The piece that is often missing in treasurers’ operational risk management strategies is their lack of a robust fraud response plan. According to the Association of Certified Fraud Examiners’ 2016 Fraud study, the typical corporation loses five percent of revenues to fraud in a given year, with an average loss of $2.7m (http://www.acfe.com/rttn2016/about/executive-summary.aspx). Smaller businesses are equally susceptible to fraud and security breaches, and the financial impact can be far greater. Few, if any, corporations have not been targeted by fraudsters, whether internal or external: the question is only whether the fraud or security breach has yet been identified.
Treasury therefore need a clear, documented plan that makes immediate action possible, and with which employees are familiar. For example, if a fraudulent payment has been made, the quicker the bank can be contacted, the more likely the payment can be stopped. So who is the bank contact, is the contact number readily available, and what information will the contact need? What are the contingency plans if an actual or potential threat to the banking system is identified?
Every company is at risk of fraud or cybersecurity breach. Minimizing the risk with the right system-enforced processes and controls, maximizing awareness and acting fast are essential steps in combatting these risks.