texpo cyber and fraud payment controls april 2019 v2 - read-only · 2019-04-03 · •fraud...

1Proprietary and Confidential 1Proprietary and Confidential to Treasury Strategies, a division of Novantas, Inc. May not be used or distributed without our written permission.

Texpo 2019

Cyber Risk and Payment Fraud

3Proprietary and Confidential 3

Introductions

Stacy ScottManaging DirectorKroll, [email protected]

Jeff DiorioDirectorTreasury [email protected]


Agenda

Overview

The environment and impacts

Understanding your exposure

Real-Life Examples

BEC

AP (Presentment and Lock Box)

Sample Controls Project

Recommendations

Controls

Action plan

Summary recommendations

Q&A


What are you concerned about?

• Cyber Risk and Fraud are multi-faceted and extremely broad –o FRAUD AND IMPACT TO BUSINESS/TREASURY OPERATIONS

• Move to faster payments is forcing the issue

• Scoping the issue:o Internal fraud

o Internal mistakes

o External fraud (BEC, Social Engineering)

o External hack or compromise (e.g. encryption attack)

o Other: Denial of Service, Anarchists and Acts of God

• Fraud prevention and cyber risk protections are a ”C” level issue


THE ENVIRONMENT

6


Interviews: 2019 Risks

TOP RISKS TREASURERS ARE FOCUSED ON FOR 2019

GEOPOLITICAL SITUATIONBrexit, trade wars, central bank interventions

PAYMENT FRAUD and CYBER RISK #1 (other side of technology)

PEOPLE: how to retain, hire, motivate, train/upgrade/

maximize?

VOLATILITY: What’s your flavor?

Interest rate, foreign exchange,

commodity

FASTER PAYMENTS and RATE OF CHANGE in technology

LIQUIDITY AND ACCESS TO CAPITALLIBOR replacementAccess to credit

Treasury Strategies 2019 State of the Treasury Profession Survey


Size Doesn’t Matter

AFP 2016 Payment Fraud Survey


What the World Economic Forum Thinks about Us (US)

Source: Kroll


Where Do Cyberattacks Rank?

Source: World Economic Forum Global Risks 2018


• In 2015, 89% of companies reported the number of fraud attempts either stayed the same or increased.

• Looking at specific payment methods, check fraud has continued to decrease, dropping to an all-time low of 71%. On the other hand, wire fraud has rapidly increased, largely driven by the rise in Business E-mail Compromise and phishing related scams.

• Payment fraud attempts result in relatively minimal actual financial losses. In 2015, the average loss to payment fraud was $390K per occurrence. Once recovered funds are factored in, the actual loss to a successful fraud attempt is only $64K. However, this value does not include associated legal and recovery expenses, which cost an average of $53K.

• While the overwhelming source of fraud attempts remains to be outside individuals (65%) and social engineering e-mails (50%), successful fraud attempts are still largely caused by internal parties (5%) and cause an average of $165K in losses. While most losses are relatively small, there are multiple head-lining instances when companies have lost tens of millions of dollars.

• Since November Kroll has worked over 110 Office 365 business email compromises.

Scope of the Problem

$390K$64K

Potential Financial Loss from Attempted or Actual Fraud

Actual Financial Loss from Fraud + Recovery

Cost

$165K

Actual Financial Loss from Internal Fraud

$53K

Sources: 2016 AFP Payments Fraud and Control Survey & 2016 ACFE Global Fraud Study

Wire fraud now second to check fraud


Framing the Problem: Procure-to-Pay Process

Apply Discounts

Validate Quotes

Manage Contracts

Place Order

Track Shipments

Receive Goods

Receive Invoices

Invoice Approval Workflow

Reconcile A/P

Payment Rejects

ManageDisputes

Cash Needs Forecasting

Spend Analysis

Impact on Liquidity

Schedule Payments

Generate Payment Formats

Remittance Advices

Reconcile Bank Account(s)

ApplyCredit Notes

Payment Status Inquiries

Credit/ Liquidity Management

Purchase Order Management

Order Fulfillment

InvoiceProcessing

Dispute Management Payments Reporting &

Analytics

Customizable Queries

Payment Trend Analysis

Supply Chain Analytics

Measure/ Monitor Ongoing

Supplier Risk

Dynamic Discounting

Supply Chain Finance

Least Cost Routing

Summary/ Detail Reports

Communicate with Vendors

Supplier Management

Account Validation

Supplier Validation

Supplier Portal/ Self Enrollment

Payment and Fraud Analysis

OFAC Sanctions/AML

Fraud Insurance

Solicit Conversion to

EFT/Card

Card/EFT Rebates

Approve Adjustments

Payment Approval Workflow

LEGEND

Fraud Mitigation Area

Critical Fraud Mitigation

Other Payment Processes

Invoice-PO-Receiving Document Matching


REAL-LIFE EXAMPLES


BEC Background

Business Email Compromise (BEC)

Structure: Email seemingly from internal senior executive requesting a large wire transfer for a seemingly valid business purpose. Sometimes coinciding with call from “lawyer” or “investment banker” or “accountant”.

Example:

A Corporate Treasury was targeted by cyber criminals as fraudsters attempted to deceive the organization into transferring $8M for a fraudulent acquisition.

The fraud attempt was credible and sophisticated in its construction.

• Email appeared to be coming from CEO’s email account and was written in a style that effectively mimicked CEO.

• Fraudulent acquisition consistent with company’s prior history of acquiring UK subsidiaries.• Email targeted Assistant Treasurer on day that Treasurer was out of the office.

The fraudulent payment may have been made if it were not for the payment protocols and controls that were in place to ensure all wires are legitimate and accurate.


Personal Email Compromise and Control Failure

Startup CEO’s personal email account was targeted and accessed by hackers which led to a large corporate email compromise and a 5 million dollar loss.

• Personal email account served as backup for his corporate email account where he was provided administrator privileges.

• Attackers gained access to CEO’s corporate email account by resetting password.• Corporate email account was used as backup for all corporate applications.• Attackers used admin email privileges to gain access to other employee email accounts, edit privileges to

corporate documents, added forwarding email address to client email application. • Attacker gained gain access to new client accounts and withdrew funds.• Attacker gained access to Slack and monitored communications for months until they altered deposit directions

resulting in a 5 million dollar loss.

Multi factor authentication alone could have prevented this loss.


BEC Payment Control Protocols

Utilize a system of payment protocols to protect the company from being a victim of fraud, including:1. Segregation of duties

2. Workflow with physical and electronic forms

3. Dual Factor Authentication on critical payments (both internal and external systems) especially for banking systems

4. Payment authorization limits

5. Payment technology enforcing thresholds and workflow (ERP, TMS, Banking systems)

6. Bank controls (authorized payer, mobile authorization, payment limits, etc.)

7. Email Flagging of all external emails (e.g. **** EXTERNAL EMAIL **** ) and senior payment authorizer filter list (e.g. filters on external emails from CFO, Treasurer)

8. Written policies that are widely communicated9. Employee education (certified and update at least annually)

10. Fraud action plan

11. Internal and external audits

12. Senior management understanding and active support

13. Refresh and update controls quarterly, but no less frequently than annually.


AP: Invoice or Presentment Fraud

Here is an example of both social engineering and technical fraud.

Sometimes they are much more sophisticated

• Actual Vendor

• Actual person

• Proper PO number

Do I open the attachment?DANGER, DANGER, DANGER!

Account manager for what firm?

Actual [email protected]


AP: Vendor Payment Instructions

Vendor or Lockbox Fraud

Structure: Email or letter from valid vendor or payee requesting a change to their receivables account for standard invoice payments.

Example:

This is far more effective than the CEO email

Dear . . .

We recently changed our lock box for invoicesCan you please update your records and submit to

ABC Bank Account number xxxyyyzzzCare of XYZ Company (account actually in name of XYZ Holdings Co vs XYZ Company Inc)

If you have any questions please call our accounts receivable department at (000) 000 – 0000SincerelyYour friendly fraud attempterManager of Accounts ReceivableA company you do business with


AP Control Protocols

Invoice and vendor management controls:1. Segregation of duties (avoid single person who can receive/process change request as well as initiate payment)

2. Business Intelligence (include business users in approvals)

3. Payment authorization limits

4. Online AP vendor management and invoice systems (e.g. Concur, Ariba)

5. Account change validation procedures and team

6. ERP as central controlled payment workflow, vendor payment details and initiation point

7. Bank controls (positive pay, ACH debit block, duplicate check, etc.)

8. When in doubt…pick up the phone and ask if ACH payment is legitimate request

9. Updated policies that are widely communicated

10. Fraud/Cyber SWAT team

11. Employee education and re-education

12. Senior management understanding and active support

13. Refresh and update controls quarterly, but no less frequently than annually.

Payments/Fraud Project Example


• Review policies, procedures and controls of all payment processes

• Receiver account data, invoice matching, change requests, payment request and authorization workflow . . .

• Technical review (can messages be read, altered or inserted)• Data at Rest must be encrypted.

• Data in Flight must be encrypted.

• Payment message verification (can you validate)• Acknowledgement/confirmation validation

• Central frequent monitoring of data and workflows

• Digital signatures (e.g., multi-factor authentication), checksum and secondary validation to authenticate payment files

• Risky transactions re-presented by bank

• Action plan for breach or incident

CompanySaaS

HostedTMS or AP

SWIFT Bureau Bank

Sample Cyber/Fraud Project



o Analyze workflow, payment request and processing procedures and security of all systems and parties involved in your payment process.

TMS orBank

ERP

BAM Forecast

AP

Corporate Firewall



CompanySaaS

HostedTMS

SWIFT Bureau

Bank

• What is your payment process?

• What users have permission to initiate?

• What are the physical and logical security controls?

• Are data and transmissions encrypted?

• Are communications unreadable and unalterable?

• Robustness of connectivity

• Authentication of messages and sender

• Process controls

• Development of alternate initiation plans

Areas of vulnerability:

• Boxes are areas you, vendors or banks must be sure are secured.

• Arrows are communications channels to be protected.


BEST PRACTICE RECOMMENDATIONS


Controls

Pro-active PREVENTION via Processes and Systems• Segregation of duties (dual or triple approval)

• Profiling of risky transactions (Foreign wires, new or change to counterparty, large $)

• Centralized systems with workflow for payment request, approval and preparation

• Control bank account creation and minimize access points and individuals • Business intelligence review (not just treasury or AP)

• Deconstruct or un-automate payment processing (add control points and dual-authentication)o Leverage bank portals and bank payment controls

o Only use STP for known repetitive payments

• IT/Technical protections: o firewalls, virus scan, admin controls, intrusion detection/risk monitoring, isolated systems

o End-point threat monitoring application

o User Behavior Analytics (UBA) – systems like Splunk analyze activity

o Log retention (12 months)

• Education and escalation (no repercussions for raising alarm or following SOP)


Action Plan

Analyze - Look at all of the components, procedures, partners and communication channels.• Review your payment procedures and initiation controls.• Specifically review payment, vendor and account change workflows• Determine all places where your data originates, is transported, and stored.• Evaluate both current level of security and existing exposures.• Review all fraud prevention technologies and procedures for update and review of activity• Involve partners that are both internal (AP, IT, Audit, CRO) and external (banks, insurance, vendor).• Evaluate potential for loss of control and inability to execute.

Develop an action plan.• Formulate a response team.• Review each potential type of breakdown.• Enhance protection where possible.• Create response plan for inevitable breach.• Define acceptable and unacceptable risks.• Create backup encrypted communications application (preferably off network)


Action Plan

Understand liability and insurance.• Establish MSA for legal, crisis communications, computer forensic and IT support before the incident occurs

• Who has liability in case of an event?

• Understand your vendors’ and banks’ liability coverage and your comfort

• Use insurance riders and/or cyber insurance as an umbrella (could be multiple policies AND understand limits of liability)

• Be sure monetary and securities are covered, how much and parameters

• Insurance is only part of your plan

Leverage experts.• Bank, NACHA and vendor recommendations• Insurance and federal resources

• Expert advice and best practices

• Outside perspective

• Regular tune-ups


Summary Recommendations

Minimize direct interactions with banks

• Centralize reporting and payment initiation

Review and update policy and controls

• Leverage external experts

Insurance

• Rider for payment fraud different than cyber or crime insurance

• Understand limits and limitations

Systems and technology

• payment request, invoice matching, vendor and account validation, payment initiation and workflow, aberrant payment monitoring

• Harmonize and optimize what you have and add what’s missing

• Ensure appropriate logging for all systems, especially email (UAL in Office 365)

Integrated Payables from your banking partner


Summary Recommendations

Email • Limit or prevent email forwarding rules• Limit or prevent other account access, ie syncing work email with personal Gmail • Ensure appropriate user account access logs• Limit or prevent access from other countries• Enable multi-factor authentication• Employee awareness training


Resources

NACHA

Treasury Strategies & Kroll

Your banks

Your vendors (e.g. payment, ERP, insurance)

Other

FBI Internet Crime Complaint Center IC3 (http://www.ic3.gov)

Infragard - FBI and private sector quarterly meetings (infragard.org)

Federal Reserve (http://takeonpayments.frbatlanta.org )

NCFTA (https://www.ncfta.net)

FFEIC (https://www.ffiec.gov/cyberassessmenttool.htm)

US Secret Service Cyber Intelligence Center

http://www.ic3.gov/


THANK YOU AND QUESTIONS


About Treasury Strategies

• Global Liquidity Management Structures

• Cash Forecasting

• Financial Risk Management and Controls

• Treasury Organization

• Payments Strategy

• Leading Practices Review and Benchmarking

• Bank Relationship Management Support

• Bank Fee Account Analysis Solution - NDepth Product

• Technology Optimization, Selection and Implementation

• Merchant Card and Purchasing Card Program

• Treasury Change Management and Resource Support

• Policy and Procedure Review

Treasury Strategies, a division of Novantas, Inc., is the leading treasury consulting firm. Armed with decades of

experience, we’ve developed solutions and delivered insights on leading practices, treasury operations, technology,

and risk management for hundreds of companies around the globe. We serve corporate Treasurers, their financial

services providers and technology providers for the complete 360° view of treasury.

AREAS OF EXPERTISE

TreasuryStrategies.com/content/networkingcommunities11 @TreasuryStrat youtube.com/treasurystrategiesincconsulting

http://www.treasurystrategies.com/content/networkingcommunities11

http://www.youtube.com/c/treasurystrategiesincconsulting

texpo cyber and fraud payment controls april 2019 v2 - read-only · 2019-04-03 · •fraud...

Documents