One of the key issues treasuries face in the cyberrisk arena is verifying vendor payment information, according to the recent series of Corporate Treasurers Council Roundtables in the United States and Canada. At several roundtables, participants complained fraudsters have tried to change the account number on an outgoing vendor checks and ETFs.
“There are so many points of possible intrusion,” one treasurer said. “It could be a small change in routing information for a vendor in Mexico. You have to be vigilant and follow the process to confirm every change on the phone with the vendor and the bank.”
What can companies do to protect themselves?
- Education. The first line of defense is educating all employees on the types of fraud attempts. Several companies even require their employees to take tests (e.g., on what links not to click through) and they have to score 100 percent. Other companies provide cybersecurity training along with their regular compliance training or, in the case of retailers, with their PCI training. While that’s a start, the FBI recommends that firms offer specific cybersecurity training several times a year. One treasurer reported cyberrisk education is his company’s the top issue.
- Policies and procedures. Another approach is to install cyberrisk management policies and procedures and ensure they become part of internal audit’s work flow. For example, with regard to vendor payments, typical procedures ask employees to confirm any change with the vendor and the bank via a phone call. Make sure that becomes part of the official policy.
- Consider insurance. If cyberfraud is a high risk to your business, there’s a growing list of products that offer risk transference as well as forensics and even public relations help as part of a comprehensive cyberinsurance risk policy.
For more ways to fight cyberrisk, visit www.AFPonline.org/cyber.