Data, cyber and identity controls are top priorities for corporate treasury and finance professionals. What do practitioners need to consider when working with their team, their banks and their technology partners when attempting to protect themselves?
At AFP 2019, Stacy Rosenthal, senior vice president and head of payments product for Santander and Bob Stark, vice president of strategy for Kyriba, joined the AFP Conversations podcast to discuss practical approaches to strengthening cybersecurity, focusing on three fronts: people, processes and tools. The following is an excerpt of that interview.
Andrew Deichler: So let's start with the top cyberthreats to corporates today. What types of attacks do each of you see as the biggest threats specifically to corporate treasury and finance? Is it ransomware, is it business email compromise scams, man-in-the-browser—or some combination?
Stacy Rosenthal: I think it's a combination thereof, dependent upon the industry or the type of organization, they may see one attack more than the other. However, what's top of mind for corporate treasurers is to make sure that they mitigate internal and external risks and to do so, it's important to work in collaboration internally, to have the right policies, procedures and tools, and externally with partners and vendors. And that's where working with organizations like Kyriba is so critical. Whatever the threat may be, whatever the concern is, make sure that there's awareness, understanding and a plan.
Andrew Deichler: Bob, on that note, you work with corporate treasury and finance professionals. Are you seeing any kind of a change as these new threats come? Are you working closer than you ever have before with your clients? They are obviously relying on you more than they have in the past, when installed treasury management systems were the norm. Now, their technology partners are the ones heading up a lot of that technical support.
Bob Stark: It's a very good question. I'd like to piggyback on what Stacy was saying; awareness is heightened. Now it's heightened because you look at everything; you look at the AFP Payments Fraud Survey and every year, the percentage is a little bit higher in terms of the type of fraud attempts that are happening. So CFOs, CIOs, CTOs—the C-level across the organization—recognize that there are significant threats not just around payments. Certainly, that's what's within the CFO's remit, and they recognize that there are controls you can put in place to do something about that. But like Stacy said, awareness is important. That's something that's changed quite a bit in the past five to 10 years. Ten years ago, we weren't talking about this. Five years ago, we were sort of talking about it, but with a vagueness—not really appreciating exactly what was going on so that we could put ourselves in a position to protect against that.
Andrew Deichler: Yes; when we had the Target breach, that felt like the breach heard around the world. It felt like the C-suite really woke up to these threats. But one issue that corporate treasury and finance professionals have is getting buy-in for technology projects. It’s not always easy to convince somebody at the top, "I need this technology for treasury." But for this topic specifically, with all this recognition going on in the C-suite, do you feel that it's easier for treasury professionals to get that buy-in?
Bob Stark: Well, what I would say is that it's the collaboration that Stacy was mentioning a few moments ago—that's what's critical. Treasury on their own always will struggle with proving that value to be a priority in the budget cycle. And that's always been the case. Whether you're talking about liquidity, whether you're talking about currency volatility, whether you're talking about payments fraud and cybercrime, there's always going to be a struggle to show exactly what the quantitative ROI is going to be. But treasury is not facing payments fraud alone. And so it’s the CFO who sees this across other workflows, and it's part of the CIO's remit, who typically own the ERP, where a lot of these payment controls originate from. So it's collaboration that needs to happen in order to free up the funds to fight it.
Stacy Rosenthal: And it's technology coupled with people and process. So it is a board level conversation—the concern about cyber, data security and fraud—and the internal and external ways to mitigate these things. But it's also making sure that that conversation that happens with the CIO and the CISO is not only about treasury, but about protecting the enterprise and having the appropriate checklist, standard operating procedures and change management. So it's not only about taking the best of technology and making sure that you have the right entitlements, the right access management and the right technology partners to work with. But what are you doing with that technology? Are you actually utilizing the tools that are available to you to be able to configure it in a way that makes sense for your business?
Do you have policies and procedures to manage your day-to-day so you're not caught flatfooted if something goes wrong? That's why it's so important to understand your current environment and to work with the resources that you have at the helm. Also, talk to your peers, talk to your technology providers, talk to your banks, so we can all partner together. It's definitely a team sport, it's not an individual participant game here.
Andrew Deichler: Sure. And so, Stacy, when meeting with your treasury clients, are you seeing them be more proactive now? Are they taking those steps, so that they're not just reacting when they get attacked? Are they making sure that they insulate themselves so that they don't get attacked in the first place?
Stacy Rosenthal: I think there are a lot more questions being asked about what's available. There’s more interest in attending educational sessions and webinars, and having active discussions. The RFP landscape has changed. There's not only a section on security but more interest in understanding the various controls, and then what they should be thinking of and who they should have at the table. Before, it was a discussion where you'd be speaking to the business team and then they'd invite their technology team, or technology would be speaking without the business. Now, it's truly a partnership across the organization, and it's not always with a banking partner. It's the banking partner, the corporate treasury team, as well as the technology provider, if there is one. They are asking great questions, and they're also inquiring about what they should be asking. What don't they know? How do they get better at it? And what's changing?
I had heard from a corporate practitioner that when it was check payments, they had more understanding of what the landscape was and how to manage it and the tools that were available to them. Now we're going through yet another digital transformation, and we have this concept of payments everywhere and the cloud and APIs. It's less comfortable for corporates to know what they don't know. It's like, "What should I be asking? Who should I be asking this of?”
Bob Stark: I would add to that there are people that are bringing examples because they're trying to understand, "Is this something that could affect me?" And they don't know what they don't know, so that's an excellent point. When they are asking those questions, they're trying to be proactive. They're taking a hypothetical scenario or a real-life example that happened to someone else and they're asking, "How does this not happen to me?" And that is a collaborative type of conversation. Treasury will have had that conversation with the CTO, with the CIO, with the CSO to ensure that they are internally asking the right questions around their own network. But they're trying to create a resilience that all they know is this has happened to other people, and it could be as simple as there may be a controller in a different part of the world, maybe it's in Europe or Asia or Latin America, that had some privileges that maybe they shouldn't have had.
Or it's some sort of breakdown in controls or policy that allowed a payment to be initiated and approved by not as many people as should have been doing that. And as a result, you create a scenario where that standardization, that consistency of controls that Stacy was talking about, doesn't happen. And sometimes it's as simple as that.