Treasury Best Practices Series: Minimizing Payments Fraud

April 21st, 2016

Minimizing Payments Fraud

© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2

Today’s Presenters

Sam PallottaVP, TreasurerRockefeller Group International

RB EricksonDirector, Global Sales EnablementKyriba

Jeff DiorioManaging DirectorTreasury Strategies


Overview: Cyber risk in Treasury

Real Life Business Case (Rockefeller Group)

Best Practices

Agenda

Overview: Cyber Risk and Fraud

‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.

Headlines


It’s not a question of “If” you will be impacted. It’s a question of how significant an impact it will be.

How prevalent is this threat?

6

“Government officials and security experts have long warned of the possibility of cyber disruptions in the financial system and other essential services and utilities.”

Xoom Corp. CFO resigns after fraudsters steal $30.8M in corporate cash (“the email”)- San Francisco Business Times

Bangladesh Central Bank Found $100 Million Missing After a Weekend BreakWall Street Journal


Payment Trend

AFP 2016 Payment Fraud Survey


Size doesn’t matter

AFP 2016 Payment Fraud Survey


Check fraud– Altered checks– Forgeries– Counterfeit checks– Remotely created checks– Lockbox Scam– Etc…

Electronic fraud (Unauthorized ACH/Wire)– Corporate account takeover– Check conversion counterfeits– Social engineering - Phishing/Spear Phishing– Keystroke software– Password engineering – (birthdays, Fido1234)– Etc…

Credit Card & P-card

Types of Payment Fraud


Wires – Second to checks


Business Email Compromise (BEC)

FBI – Internet Crime Complaint Center (IC3)

64% of participants in 2016 AFP survey exposed to BEC


There are several risks and exposures

– Internal threats• Theft or malicious acts• Human error

– External threats• Social Engineering – hacking your process (Rock Group’s experience w/ BEC)• Technical (security exposures, remote control)

– Environmental• Denial of service• Act of god (Hurricane Sandy)

Framing the problem

12

Real Life Business Case (Rockefeller Group)


- In early 2015 Rockefeller Group was targeted by cyber criminals as fraudsters attempted to deceive the organization into transferring $8M for a fraudulent acquisition

- Fortunately, the attempt failed

- The fraud attempt was credible and sophisticated in its construction

- Email appeared to be coming from CEO’s email account and was written in a style that effectively mimicked CEO

- Fraudulent acquisition consistent with company’s prior history of acquiring UK subsidiaries

- Email targeted Assistant Treasurer on day that Treasurer was out of the office

• The fraudulent payment may have been made if it were not for the payment protocols that our organization has in place to ensure all wires are legitimate and accurate

Fraud Attempt - Background


- Rockefeller Group has a system of payment protocols in place that protected the company from being a victim of fraud, including:

- Segregation of duties

- Physical and electronic forms

- Payment authorization limits

- Kyriba workstation

- Bank controls (positive pay, ACH debit block, etc.)

- Employee education

- Written policies that are widely communicated

- Hiring employees with high integrity

- Internal and external audits

- Senior management understanding and active support

Payment Protocols


- Returning to our fraud attempt, let’s discuss specifically why it failed:

- Segregation of duties: Assistant Treasurer would not have been able to input and release the wire on his own in our Kyriba workstation; would have required assistance from Cash Manager

- Physical form / Payment authorization limits: Payments can not be released without a physical signature from the requestor and an approver with sufficient authorization

- Kyriba workstation: Prevented the Assistant Treasurer from releasing a wire above a certain threshold; only IT department with approval from Treasurer can raise threshold

- Employee education: Members of the Treasury department had recently taken part in fraud prevention seminar

- Written policies that are widely communicated: Assistant Treasurer was well aware that he was unable to process wire without proper support

- Hiring employees with high integrity

Payment Protocols

Best Practice Recommendations


Look at all of the components, procedures, partners and communication channels

• Determine all places where your data originates, is transported, and stored

• Evaluate both current level of security and existing exposures

• Review your payment procedures and initiation controls

• Involve partners are both internal (AP, IT, Audit) and external (Banks, SWIFT, Vendor)

• Evaluate potential for loss of control and inability to execute

Develop an action plan

• Response team

• Review each potential type of breakdown

• Enhance protection where possible

• Create response plan for inevitable breach

• What are acceptable and unacceptable risks

Action plan

18


Understand liability and insurance• Who has liability in case of an event?

• Understand your vendors’ and banks’ liability coverage and your comfort

• Use insurance riders and/or cyber insurance as an umbrella (could be multiple policies)

• Be sure monetary and securities are covered

Leverage experts• Bank and vendor recommendations

• Focused Treasury Risk Assessment (not general) as well as Corporate Payments and Cyber Risk

• Expert advise and best practices

• Outside perspective

• Regular tune-ups

Action plan

19


General Recommendations: Technical Controls

20

CompanySaaS

HostedTMS

SWIFT Bureau

Bank

• Who has access to data?

• What users have permission to initiate?

• What are the physical security controls?

• Are transmissions encrypted?

• Are communications unreadable and unalterable?

• Robustness of connectivity

• Authentication of messages and sender

• Alternate initiation plans

Areas of vulnerability:Boxes are areas you, vendors or banks must be sure are secured. Arrows are communications channels to be protected.


Review policies and controls

Encrypt, encrypt, encrypt• Data at Rest must be encrypted.• Data in Flight must be encrypted.

Verification• Acknowledgements/confirmations• Central frequent monitoring of data and workflows• Digital signatures (e.g. Two Factor Authentication, SWIFT 3SKey), checksum and secondary validation to

authenticate payment files

Action plan for breach or incident Proactive vs. Reaction

General Recommendations

21

CompanySaaS

HostedTMS

SWIFT Bureau

Bank


Kyriba

Treasury Strategies

Your banks

AFP

Other

– FBI Internet Crime Complaint Center IC3 (http://www.ic3.gov)

– Federal Reserve (http://takeonpayments.frbatlanta.org )

– NCFTA (https://www.ncfta.net)

– FFEIC (https://www.ffiec.gov/cyberassessmenttool.htm)

– US Secret Service Cyber Intelligence Center

Resources


A Matter of WHEN, not IF

“When the time for decision arrives, the time for preparation has past”– Tom Monson


Additional Resources

eBook: Six questions every treasurer should ask about their cash forecasting process

http://kyri.ba/FraudQuestionsEbook

White Paper: Leveraging Treasury Technology in the War Against Fraudhttp://kyri.ba/TMSagainstFraud

http://kyri.ba/FraudQuestionsEbook

http://kyri.ba/TMSagainstFraud


Thanks for attending

facebook.com/kyribacorp

twitter.com/kyribacorp

linkedin.com/company/kyriba-corporation

youtube.com/kyribacorp

slideshare.com/kyriba

kyriba.com/blog