Securing Treasury. Craig Jeffery, Managing Partner, Strategic Treasurer Rosemary Lyons, Business Project Manager, Cigna. You. Are. Not. Done.

Transcription

1 You. Are. Not. Done. Craig Jeffery, Managing Partner, Strategic Treasurer Rosemary Lyons, Business Project Manager, Cigna

2 About the Presenter 2 Craig Jeffery, CCM, FLMI Founder & Managing Partner Strategic Treasurer Rosemary Lyons, CTP, PMP Business Project Manager, Compliance Cigna Treasury Department Craig Jeffery formed Strategic Treasurer LLC in 2004 to provide corporate, educational, and government entities direct access to comprehensive and current assistance with their treasury and financial process needs. His 20+ years of financial and treasury experience as a practitioner and as a consultant have uniquely qualified him to help organizations craft realistic goals and achieve significant benefits quickly. Rosemary Lyons has more than 25 years of treasury experience. She is currently a Compliance Manager with Cigna's Treasury Department, with responsibilities for credit card relationships, PCI-DSS, and other regulatory compliance. She earned a BS in Business Administration from Western New England University. She has obtained the Certified Treasury Professional and the Project Management Professional designations.

3 Topics of Discussion 3 The Corporate Treasury Situation o o o o Overall Situation: Challenges & Responsibilities Sample Complexity Considerations Fraud in the Spotlight The Criminal s Playbook Corporate Fraud Experience o o o Overall Fraud Experience Losses & Criminal Payouts Corporate Fraud Concerns & Investment Plans Structuring a Defense Posture o o o The Fraud Battlefield: Areas of Exposure Corporate Shortsightedness: Security Training Technology vs Human Security Components Case Studies: Successful vs Unsuccessful Security Approaches Cigna s Perspective The Four Pillars of Security Key Considerations for Treasury

4 Overall Treasury Experience 4 Treasury s Situation: Responsibilities, Challenges, & Considerations Rising Fraud Globalization Tech Investment: Reality vs. Expectation Risk Concerns Corporate Treasury Thinly Staffed Increasing Complexity Compliance Elevated Internal Expectations

5 Sample Complexity: Globalization & Staffing 5 Our business operates in this many countries: 1 Are your staffing levels where they need to be now? 2 11% 17% Unsure 14% 10% No, we are understaffed 42% 12% Yes, we are appropriately staffed 44% 50% 0% 10% 20% 30% 40% 50% 1 Country 2-20 Countries Countries Countries 81+ Countries A Struggle to Perform. When asked if their staff levels were where they needed to be, a sizeable portion of respondents to a 2017 survey saw themselves as understaffed.

6 Fraud: A Top Treasury Priority 6 Corporates: Rate the following payment initiative drivers on a scale from (1) most important to (8) least important % 100% 80% 60% 40% 20% 0% 11% 6% 3% 6% 8% 8% 8% 4% 9% 14% 7% 7% 11% 11% 23% 5% 37% 16% 6% 7% 13% 9% 18% 18% 12% 8% 11% 31% 18% 11% 12% 21% 20% 19% 32% 25% 11% 11% 13% 19% 34% 8% 8% 46% 13% 9% 6% 7% 16% 5% 16% 9% 8% 5% 5% 13% 9% 6% 9% 8% 11% 9% 5% 4% Most Important Least Important Corporate Payment Drivers. The responses clearly indicated that protection against fraud was the top priority for the majority of corporates, with payment efficiency the second highest priority, cost effectiveness third, and achieving visibility fourth. The areas of lesser importance to organizations were the scalability of payment processes and vendor/supplier management.

7 Low Control Control of Fraud High Control Securing Treasury The Criminal s Playbook 7 The Criminal s Playbook: Fraud Types & Associated Intentions High Payout Low Payout Fraud Intent Fraud Type Steal Funds Directly System Fraud ACH Fraud - Personal Payment Systems Check Forgery Get You To Send Funds Business Compromise AP Vendor Master Record Changes Take Data and Sell it Data Breach Lock up Data for Ransom Ransomware via Worm Ransomware as a Service Surveying the Field: There are a wide variety of fraudulent methods for criminals to select from. If an organization is protected at one juncture, a criminal may move on to target them through another avenue or area of exposure. Due to the ever-evolving playbook of today s criminal, organizations must be constantly monitoring their operations to locate exposures and identify suspicious activity.

8 Corporate Fraud Experience 8 Corporates: From which party did you experience fraud? (Select all that apply) 4 Corporates: Fraud Experience by Type of Attack (Over the last 1-2 Years ( )) 5 80% 76% 3% 70% 21% 14% 60% 62% 50% 45% 40% 81% 30% 20% 10% 7% Internal-Current Employee External- Non-employee External- Formal Employee Unknown Source 0% Ransomware Cyber Fraud Payment Fraud BEC

9 Corporate Fraud: Criminal Payouts 9 Payouts are on the Rise Organizations are under constant attack from criminals trying to steal their funds through cybercrime, fraud, and other means. Over the past several years this has become a major concern for most firms, especially as the payouts associated with certain types of fraud increase. 86% of practitioners have experienced at least one form of fraud in the past two years* SYSTEM FRAUD Typical Payout Range: $1M-10M+ WIRE (BEC) FRAUD Typical Payout Range: $130K+ CHECK FRAUD Typical Payout Range: $1K-2K *2017 Strategic Treasurer, Bottomline, Bank of America Merrill Lynch 2017 Treasury Fraud & Controls Survey The above values are taken from calculations off of FBI, Banking Data and Strategic Treasurer estimates.

10 Fraud Concerns are Elevated 10 Security Concerns Are Rising Payment Security Concerns 6 Our current payment security concerns, as compared to the prior year, are: The frequency and severity in which fraud is striking the treasury environment has caused widespread panic amongst practitioners. 50% 45% 40% 47% 39% 46% of respondents say that security concerns are higher or significantly higher than in previous years. 35% 30% Only 2% have lowered concerns. 25% 20% As security concerns rise, corporate practitioners must consider how they are going to prevent fraudulent attacks. 15% 10% 7% 5% 2% 4% 0% Lower About the same Higher Significantly higher Unsure

11 Fraud Concerns Influence Technology Spend 11 Security Concerns Influence Spending Impact of Security on Spend 7 What influence do security concerns have on your current or planned technology spend? Not surprisingly, as fraud experience 35% continues to climb so too does the level of planned investment in security 30% 29% 31% 30% controls and technology. 25% 61% of respondents say that security concerns have a strong or very strong influence on their technology spend. 20% This shows that corporations are 15% making serious investments in technology that enhance fraud detection and prevention. 10% 5% 4% 6% 0% None to limited influence on our spend level Moderate influence on our spend level Strong Influence on our spend level Very strong influence on our spend level Unsure

12 Scope of Security Investments 12 Spend Plans: Treasury Security Controls 8 What are your spending plans for treasury fraud prevention, detection, and controls? Spend Plans: Treasury Security Controls 9 Which areas do you intend to spend more or significantly more on fraud prevention, detection or controls? (check all that apply) AP payments 55% Spend significantly more. 4% Treasury payments Impostor fraud / business 41% 49% Bank transaction fraud 34% Card processing and controls 33% Spend more. 20% Bank reconciliation File controls, digital signing 30% 27% System access (ie new security 25% Transaction controls 25% Spend about the same. 71% Payroll GL reconciliation (sub-ledger to GL) 21% 20% Account level controls 18% Bank account fraud 16% Spend less than prior years. 5% Data mining Monitoring and reporting services 11% 16% Other: 5% 0% 20% 40% 60% 80% 0% 10% 20% 30% 40% 50% 60%

13 Cyber Security Cloud Security Securing Treasury The Fraud Battlefield 13 The Fraud Battlefield: Access Control Incident Response Employee Management Treasury Security Framework Access Control Banking Design Sensitive Data Desktop Network SAN Segregation of Duties Transaction & Daily Limits Employees Temp/Contractors Partners Lockdown Playbook Assessment & Benchmarking Duties & Policies Communications Liability Management

14 Exposure: Corporate Security Training 14 Corporate Security Practices Although corporates have indicated a willingness and intent to spend significantly on treasury security, there are still large areas of exposure. Corporate vs Bank Security Training 10 Do you require employees involved in payments to take security training each year? 120% 100% 97% Currently, only 39% of corporates require employees involved in 80% Banks Corporates payments to take security training every year. 60% 61% This represents a major area of weakness and vulnerability. 40% 39% 20% 3% 0% Yes No Strategic Treasurer & TD Bank Treasury Perspectives Survey

15 Bank vs. Corporate Security Testing 15 Corporate Security Practices Does this training have a reported testing component? 11 Even when looking at those firms that do require regular training, the scope of their courses fall short compared to banks. 100% 90% 80% 94% Over 1/3 rd of corporates that require regular training have not incorporated a testing component into their courses. 70% 60% 66% Testing involves either a scored 50% Corp Bank quiz/test, or may involve tests such as fake phishing s sent to employees to see how they handle 40% 30% 34% such messages. 20% Corporates must learn to combine 10% 6% technology components of security with human elements. 0% Yes No

16 Technology vs. Human Security Components 16 Technology Security Components Human Security Components Antivirus Software Security Training (Regularly) Firewall Employee Testing (Phishing s) Multifactor Authentication Whistleblower Policy User Monitoring Tools Clean Desk Policy Biometrics Dual Controls Encryption Segregation of Duties Tokenization Principle of Least Privilege SAML 2.0

17 Case Study 17 Case Study: Fraud WITH Security Training Case Study: Fraud WITHOUT Security Training Fraudulent Activity Initiated. A criminal gained access to a corporate CFO s address and initiated several payment requests via to a treasury employee. The messages were made to sound urgent. Fraudulent Activity Initiated. A treasury employee receives an from a current vendor requesting that future payments be sent to a new bank account. Suspicious Request Identified. The treasury employee noticed the unusually urgent language and did not recognize the payment details provided in the . The employee did not post the payment and instead contacted his superiors for further verification. Suspicious Details Undetected. Although there were several minor typos in the message, the address was correct and this vendor had changed their payment information before, so the employee follows through with the request. Losses Prevented. Further analysis led to the discovery that the payments were indeed fraudulent and that the CFO s credentials had been compromised. Due to the employee s training on how to identify suspicious requests, fraudulent losses were prevented. Fraudulent Losses Sustained. As a result, the next two payments to the vendor are delinquent, and further analysis discovers that both payments were delivered to a fraudulent account instead of the vendor s actual account.

18 Treasury Data Security: Cigna s Perspective 18 An Introduction to Cigna A global health service company with more than ninety-five million customer relationships worldwide. Cigna's global workforce is approximately forty-five thousand employees. The company offers a diversified portfolio of Global Healthcare, Group Disability and Life and Global Supplemental Benefits Cigna Security Initiatives: Employee Training, Testing, and Policies Cigna employees are required to complete data security and privacy training on a regular basis. Classes require a test to complete the training and/or an attestation of compliance. A course on PCI-DSS security awareness was added for all employees in Cigna s information protection group regularly tests employees with mock phishing s. Comprehensive business continuity plans exist and are regularly tested. The December 2017 test was specifically focused on a cyber attack within the Treasury Department.

19 Treasury Data Security: Cigna s Perspective 19 Cigna Security Initiatives: Treasury Specific Initiatives Created Compliance Manager role to oversee business PCI-DSS, SWIFT Customer Security Program (CSP) and other compliance requirements. Developed various policies to control cash activity and document mandated requirements, such as for disbursements, escheat, bank reconciliation and credit/debit card use. Projects undertaken to tokenize credit card data instead of storing cardholder information. Centralize disbursement processing from bank portals to Cigna s enterprise payment platform to strengthen controls and cash visibility. Participates in the Corporate Risk Steering Committee which tracks new and ongoing compliance requirements. Ensures standard controls are followed such as positive pay controls, disbursement authority limits, and segregation of duties.

20 Developing a Security Framework 20 Four Pillars of Treasury Security ASSESS & ARCHITECT Greater Awareness Assess Major Exposure Risks Understand Required Layers Regular Revision Ongoing Monitoring Market & Situations 2. PREPARE & PREVENT Stronger Defense Posture Upgrade Processes Systems Staff Knowledge 3. MANAGE PROCESSES Maintain & Reinforce Position Ongoing Training Testing 4. REMEDIATION Respond & Recover Reporting Response (Fast, Appropriate) Rework (Restore to New Model)

21 Key Security Points for Treasury 21 Although corporate treasury faces a wide array of responsibilities and challenges, fraud and security have become a top priority as attacks increase in frequency and severity. Innovations to techniques and methods by which criminals perpetrate fraud has resulted in a landscape where criminal payouts can reach millions of dollars in some circumstances. As the threat of fraud is elevated, corporates have indicated a strong intent to invest heavily in multiple areas of the technology components of their security infrastructure. Despite these technology investments, however, many firms continue to leave themselves exposed by failing to implement staff security training and testing. Treasury must learn to balance the technology components of their security infrastructure with human components failing to secure either sector can result in large and dangerous exposures.

22 Technology Cash Forecasting: Tune-Up No Longer a Bridesmaid Co-hosted with GTreasury 22 Contact Information Strategic Treasurer Craig A. Jeffery, CCM, FLMI Founder & Managing Partner Strategic Treasurer craig@strategictreasurer.com Direct: +1 (678) Rosemary Lyons, CTP, PMP Business Project Manager, Compliance Cigna rosemary.lyons@cigna.com Direct: +1 (860) Thank you for participating in this event!

23 Works Cited Strategic Treasurer, Bottomline Technologies, & Bank of America Merrill Lynch B2B & WCM Strategies Survey Strategic Treasurer Higher Ed Survey Strategic Treasurer & Fides Global Payments Survey Strategic Treasurer & Bottomline Technologies Treasury Fraud & Controls Survey Strategic Treasurer & Bottomline Technologies Treasury Fraud & Controls Survey Strategic Treasurer, Bottomline Technologies, & Bank of America Merrill Lynch B2B & WCM Strategies Survey Strategic Treasurer, Bottomline Technologies, & Bank of America Merrill Lynch B2B & WCM Strategies Survey Strategic Treasurer & Bottomline Technologies Treasury Fraud & Controls Survey Strategic Treasurer & Bottomline Technologies Treasury Fraud & Controls Survey 10. Strategic Treasurer & TD Bank Treasury Perspectives Survey 11. Strategic Treasurer & TD Bank Treasury Perspectives Survey