1Proprietary and Confidential 1Proprietary and Confidential to Treasury Strategies, a division of Novantas, Inc. May not be used or distributed without our written permission.
Texpo 2019
Cyber Risk and Payment Fraud
3Proprietary and Confidential 3
Introductions
Stacy ScottManaging DirectorKroll, [email protected]
Jeff DiorioDirectorTreasury [email protected]
4Proprietary and Confidential 4
Agenda
Overview
The environment and impacts
Understanding your exposure
Real-Life Examples
BEC
AP (Presentment and Lock Box)
Sample Controls Project
Recommendations
Controls
Action plan
Summary recommendations
Q&A
5Proprietary and Confidential 5
What are you concerned about?
• Cyber Risk and Fraud are multi-faceted and extremely broad –o FRAUD AND IMPACT TO BUSINESS/TREASURY OPERATIONS
• Move to faster payments is forcing the issue
• Scoping the issue:o Internal fraud
o Internal mistakes
o External fraud (BEC, Social Engineering)
o External hack or compromise (e.g. encryption attack)
o Other: Denial of Service, Anarchists and Acts of God
• Fraud prevention and cyber risk protections are a ”C” level issue
7Proprietary and Confidential 7
Interviews: 2019 Risks
TOP RISKS TREASURERS ARE FOCUSED ON FOR 2019
GEOPOLITICAL SITUATIONBrexit, trade wars, central bank interventions
PAYMENT FRAUD and CYBER RISK #1 (other side of technology)
PEOPLE: how to retain, hire, motivate, train/upgrade/
maximize?
VOLATILITY: What’s your flavor?
Interest rate, foreign exchange,
commodity
FASTER PAYMENTS and RATE OF CHANGE in technology
LIQUIDITY AND ACCESS TO CAPITALLIBOR replacementAccess to credit
Treasury Strategies 2019 State of the Treasury Profession Survey
10Proprietary and Confidential 10
Where Do Cyberattacks Rank?
Source: World Economic Forum Global Risks 2018
11Proprietary and Confidential 11
• In 2015, 89% of companies reported the number of fraud attempts either stayed the same or increased.
• Looking at specific payment methods, check fraud has continued to decrease, dropping to an all-time low of 71%. On the other hand, wire fraud has rapidly increased, largely driven by the rise in Business E-mail Compromise and phishing related scams.
• Payment fraud attempts result in relatively minimal actual financial losses. In 2015, the average loss to payment fraud was $390K per occurrence. Once recovered funds are factored in, the actual loss to a successful fraud attempt is only $64K. However, this value does not include associated legal and recovery expenses, which cost an average of $53K.
• While the overwhelming source of fraud attempts remains to be outside individuals (65%) and social engineering e-mails (50%), successful fraud attempts are still largely caused by internal parties (5%) and cause an average of $165K in losses. While most losses are relatively small, there are multiple head-lining instances when companies have lost tens of millions of dollars.
• Since November Kroll has worked over 110 Office 365 business email compromises.
Scope of the Problem
$390K$64K
Potential Financial Loss from Attempted or Actual Fraud
Actual Financial Loss from Fraud + Recovery
Cost
$165K
Actual Financial Loss from Internal Fraud
$53K
Sources: 2016 AFP Payments Fraud and Control Survey & 2016 ACFE Global Fraud Study
Wire fraud now second to check fraud
12Proprietary and Confidential 12
Framing the Problem: Procure-to-Pay Process
Apply Discounts
Validate Quotes
Manage Contracts
Place Order
Track Shipments
Receive Goods
Receive Invoices
Invoice Approval Workflow
Reconcile A/P
Payment Rejects
ManageDisputes
Cash Needs Forecasting
Spend Analysis
Impact on Liquidity
Schedule Payments
Generate Payment Formats
Remittance Advices
Reconcile Bank Account(s)
ApplyCredit Notes
Payment Status Inquiries
Credit/ Liquidity Management
Purchase Order Management
Order Fulfillment
InvoiceProcessing
Dispute Management Payments Reporting &
Analytics
Customizable Queries
Payment Trend Analysis
Supply Chain Analytics
Measure/ Monitor Ongoing
Supplier Risk
Dynamic Discounting
Supply Chain Finance
Least Cost Routing
Summary/ Detail Reports
Communicate with Vendors
Supplier Management
Account Validation
Supplier Validation
Supplier Portal/ Self Enrollment
Payment and Fraud Analysis
OFAC Sanctions/AML
Fraud Insurance
Solicit Conversion to
EFT/Card
Card/EFT Rebates
Approve Adjustments
Payment Approval Workflow
LEGEND
Fraud Mitigation Area
Critical Fraud Mitigation
Other Payment Processes
Invoice-PO-Receiving Document Matching
14Proprietary and Confidential 14
BEC Background
Business Email Compromise (BEC)
Structure: Email seemingly from internal senior executive requesting a large wire transfer for a seemingly valid business purpose. Sometimes coinciding with call from “lawyer” or “investment banker” or “accountant”.
Example:
A Corporate Treasury was targeted by cyber criminals as fraudsters attempted to deceive the organization into transferring $8M for a fraudulent acquisition.
The fraud attempt was credible and sophisticated in its construction.
• Email appeared to be coming from CEO’s email account and was written in a style that effectively mimicked CEO.
• Fraudulent acquisition consistent with company’s prior history of acquiring UK subsidiaries.• Email targeted Assistant Treasurer on day that Treasurer was out of the office.
The fraudulent payment may have been made if it were not for the payment protocols and controls that were in place to ensure all wires are legitimate and accurate.
15Proprietary and Confidential 15
Personal Email Compromise and Control Failure
Startup CEO’s personal email account was targeted and accessed by hackers which led to a large corporate email compromise and a 5 million dollar loss.
• Personal email account served as backup for his corporate email account where he was provided administrator privileges.
• Attackers gained access to CEO’s corporate email account by resetting password.• Corporate email account was used as backup for all corporate applications.• Attackers used admin email privileges to gain access to other employee email accounts, edit privileges to
corporate documents, added forwarding email address to client email application. • Attacker gained gain access to new client accounts and withdrew funds.• Attacker gained access to Slack and monitored communications for months until they altered deposit directions
resulting in a 5 million dollar loss.
Multi factor authentication alone could have prevented this loss.
16Proprietary and Confidential 16
BEC Payment Control Protocols
Utilize a system of payment protocols to protect the company from being a victim of fraud, including:1. Segregation of duties
2. Workflow with physical and electronic forms
3. Dual Factor Authentication on critical payments (both internal and external systems) especially for banking systems
4. Payment authorization limits
5. Payment technology enforcing thresholds and workflow (ERP, TMS, Banking systems)
6. Bank controls (authorized payer, mobile authorization, payment limits, etc.)
7. Email Flagging of all external emails (e.g. **** EXTERNAL EMAIL **** ) and senior payment authorizer filter list (e.g. filters on external emails from CFO, Treasurer)
8. Written policies that are widely communicated9. Employee education (certified and update at least annually)
10. Fraud action plan
11. Internal and external audits
12. Senior management understanding and active support
13. Refresh and update controls quarterly, but no less frequently than annually.
17Proprietary and Confidential 17
AP: Invoice or Presentment Fraud
Here is an example of both social engineering and technical fraud.
Sometimes they are much more sophisticated
• Actual Vendor
• Actual person
• Proper PO number
Do I open the attachment?DANGER, DANGER, DANGER!
Account manager for what firm?
Actual [email protected]
18Proprietary and Confidential 18
AP: Vendor Payment Instructions
Vendor or Lockbox Fraud
Structure: Email or letter from valid vendor or payee requesting a change to their receivables account for standard invoice payments.
Example:
This is far more effective than the CEO email
Dear . . .
We recently changed our lock box for invoicesCan you please update your records and submit to
ABC Bank Account number xxxyyyzzzCare of XYZ Company (account actually in name of XYZ Holdings Co vs XYZ Company Inc)
If you have any questions please call our accounts receivable department at (000) 000 – 0000SincerelyYour friendly fraud attempterManager of Accounts ReceivableA company you do business with
19Proprietary and Confidential 19
AP Control Protocols
Invoice and vendor management controls:1. Segregation of duties (avoid single person who can receive/process change request as well as initiate payment)
2. Business Intelligence (include business users in approvals)
3. Payment authorization limits
4. Online AP vendor management and invoice systems (e.g. Concur, Ariba)
5. Account change validation procedures and team
6. ERP as central controlled payment workflow, vendor payment details and initiation point
7. Bank controls (positive pay, ACH debit block, duplicate check, etc.)
8. When in doubt…pick up the phone and ask if ACH payment is legitimate request
9. Updated policies that are widely communicated
10. Fraud/Cyber SWAT team
11. Employee education and re-education
12. Senior management understanding and active support
13. Refresh and update controls quarterly, but no less frequently than annually.
21Proprietary and Confidential 21
• Review policies, procedures and controls of all payment processes
• Receiver account data, invoice matching, change requests, payment request and authorization workflow . . .
• Technical review (can messages be read, altered or inserted)• Data at Rest must be encrypted.
• Data in Flight must be encrypted.
• Payment message verification (can you validate)• Acknowledgement/confirmation validation
• Central frequent monitoring of data and workflows
• Digital signatures (e.g., multi-factor authentication), checksum and secondary validation to authenticate payment files
• Risky transactions re-presented by bank
• Action plan for breach or incident
CompanySaaS
HostedTMS or AP
SWIFT Bureau Bank
Sample Cyber/Fraud Project
22Proprietary and Confidential 22
Sample Cyber/Fraud Project
o Analyze workflow, payment request and processing procedures and security of all systems and parties involved in your payment process.
TMS orBank
ERP
BAM Forecast
AP
Corporate Firewall
23Proprietary and Confidential 23
Sample Cyber/Fraud Project
CompanySaaS
HostedTMS
SWIFT Bureau
Bank
• What is your payment process?
• What users have permission to initiate?
• What are the physical and logical security controls?
• Are data and transmissions encrypted?
• Are communications unreadable and unalterable?
• Robustness of connectivity
• Authentication of messages and sender
• Process controls
• Development of alternate initiation plans
Areas of vulnerability:
• Boxes are areas you, vendors or banks must be sure are secured.
• Arrows are communications channels to be protected.
25Proprietary and Confidential 25
Controls
Pro-active PREVENTION via Processes and Systems• Segregation of duties (dual or triple approval)
• Profiling of risky transactions (Foreign wires, new or change to counterparty, large $)
• Centralized systems with workflow for payment request, approval and preparation
• Control bank account creation and minimize access points and individuals • Business intelligence review (not just treasury or AP)
• Deconstruct or un-automate payment processing (add control points and dual-authentication)o Leverage bank portals and bank payment controls
o Only use STP for known repetitive payments
• IT/Technical protections: o firewalls, virus scan, admin controls, intrusion detection/risk monitoring, isolated systems
o End-point threat monitoring application
o User Behavior Analytics (UBA) – systems like Splunk analyze activity
o Log retention (12 months)
• Education and escalation (no repercussions for raising alarm or following SOP)
26Proprietary and Confidential 26
Action Plan
Analyze - Look at all of the components, procedures, partners and communication channels.• Review your payment procedures and initiation controls.• Specifically review payment, vendor and account change workflows• Determine all places where your data originates, is transported, and stored.• Evaluate both current level of security and existing exposures.• Review all fraud prevention technologies and procedures for update and review of activity• Involve partners that are both internal (AP, IT, Audit, CRO) and external (banks, insurance, vendor).• Evaluate potential for loss of control and inability to execute.
Develop an action plan.• Formulate a response team.• Review each potential type of breakdown.• Enhance protection where possible.• Create response plan for inevitable breach.• Define acceptable and unacceptable risks.• Create backup encrypted communications application (preferably off network)
27Proprietary and Confidential 27
Action Plan
Understand liability and insurance.• Establish MSA for legal, crisis communications, computer forensic and IT support before the incident occurs
• Who has liability in case of an event?
• Understand your vendors’ and banks’ liability coverage and your comfort
• Use insurance riders and/or cyber insurance as an umbrella (could be multiple policies AND understand limits of liability)
• Be sure monetary and securities are covered, how much and parameters
• Insurance is only part of your plan
Leverage experts.• Bank, NACHA and vendor recommendations• Insurance and federal resources
• Expert advice and best practices
• Outside perspective
• Regular tune-ups
28Proprietary and Confidential 28
Summary Recommendations
Minimize direct interactions with banks
• Centralize reporting and payment initiation
Review and update policy and controls
• Leverage external experts
Insurance
• Rider for payment fraud different than cyber or crime insurance
• Understand limits and limitations
Systems and technology
• payment request, invoice matching, vendor and account validation, payment initiation and workflow, aberrant payment monitoring
• Harmonize and optimize what you have and add what’s missing
• Ensure appropriate logging for all systems, especially email (UAL in Office 365)
Integrated Payables from your banking partner
29Proprietary and Confidential 29
Summary Recommendations
Email • Limit or prevent email forwarding rules• Limit or prevent other account access, ie syncing work email with personal Gmail • Ensure appropriate user account access logs• Limit or prevent access from other countries• Enable multi-factor authentication• Employee awareness training
30Proprietary and Confidential 30
Resources
NACHA
Treasury Strategies & Kroll
Your banks
Your vendors (e.g. payment, ERP, insurance)
Other
FBI Internet Crime Complaint Center IC3 (http://www.ic3.gov)
Infragard - FBI and private sector quarterly meetings (infragard.org)
Federal Reserve (http://takeonpayments.frbatlanta.org )
NCFTA (https://www.ncfta.net)
FFEIC (https://www.ffiec.gov/cyberassessmenttool.htm)
US Secret Service Cyber Intelligence Center
32Proprietary and Confidential 32
About Treasury Strategies
• Global Liquidity Management Structures
• Cash Forecasting
• Financial Risk Management and Controls
• Treasury Organization
• Payments Strategy
• Leading Practices Review and Benchmarking
• Bank Relationship Management Support
• Bank Fee Account Analysis Solution - NDepth Product
• Technology Optimization, Selection and Implementation
• Merchant Card and Purchasing Card Program
• Treasury Change Management and Resource Support
• Policy and Procedure Review
Treasury Strategies, a division of Novantas, Inc., is the leading treasury consulting firm. Armed with decades of
experience, we’ve developed solutions and delivered insights on leading practices, treasury operations, technology,
and risk management for hundreds of companies around the globe. We serve corporate Treasurers, their financial
services providers and technology providers for the complete 360° view of treasury.
AREAS OF EXPERTISE
TreasuryStrategies.com/content/networkingcommunities11 @TreasuryStrat youtube.com/treasurystrategiesincconsulting