Cyber dimension of third-party risks

Corporate treasury is now a top target for cybercriminals, according to a recent survey of people managing the treasury of 19 different sectors in the US.

The major corporations are fortifying their defences to ward off potential cyberattacks. However, they have been found vulnerable on one front: Their third parties and subcontractors. The Economist Intelligence Unit research found “serious gaps” in corporate defence, including vulnerabilities hidden within third parties and their subcontractors.

It found that most treasurers believe their companies are doing well at implementing basic security measures.

“They have moved aggressively to strengthen their cyber defences by initiating penetration testing to check for internal and external vulnerabilities, updating software systems to evade new lines of attack, and taking steps to limit company network and data access to both employees and third parties. Companies are also training employees on fraud,” it said.

However, when it comes to their third parties and subcontractors, a significant minority of respondent companies are missing some basic security precautions.

The research found that 19% of companies do not check whether their suppliers use the same methods for identity authentication as they do, leaving an open door for fraud. The same survey found only a minority of clients and suppliers follow the same or similar regulatory and compliance rules.

“Treasury’s trove of personal and corporate data, its authority to make payments and move large amounts of cash quickly, and its often complicated structure make it an appealing choice for discerning fraudsters.

“These sophisticated cybercriminals use social engineering and inside information gleaned from lengthy reconnaissance within a given company’s systems to execute high-value thefts. They understand that the ability to access payment infrastructures and bank communication channels is extraordinarily powerful.

“They know that treasurers rarely control the information technology security infrastructure they use. And given the nature of some successful attacks, hackers also seem to understand that most treasuries contain junior staff who can be pressured into infringing rules,” the report said in its summary.

The report warned that the potential losses are huge.

“Hackers infiltrating individual companies have stolen tens of millions of dollars in a single attack. The stock price of breached companies falls and CEOs are sacked. Data losses create reputational damage and lawsuits from inside and outside the company.

“Even mergers and acquisitions can be derailed or altered in value to the tune of hundreds of millions of dollars, as in the case of telco Verizon Communications Inc’s acquisition of Internet company Yahoo Inc,” it said.