Upload
kyriba-corporation
View
718
Download
1
Embed Size (px)
Citation preview
April 21st, 2016
Minimizing Payments Fraud
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 2
Today’s Presenters
Sam PallottaVP, TreasurerRockefeller Group International
RB EricksonDirector, Global Sales EnablementKyriba
Jeff DiorioManaging DirectorTreasury Strategies
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 3
Overview: Cyber risk in Treasury
Real Life Business Case (Rockefeller Group)
Best Practices
Agenda
Overview: Cyber Risk and Fraud
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Headlines
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 6
It’s not a question of “If” you will be impacted. It’s a question of how significant an impact it will be.
How prevalent is this threat?
6
“Government officials and security experts have long warned of the possibility of cyber disruptions in the financial system and other essential services and utilities.”
Xoom Corp. CFO resigns after fraudsters steal $30.8M in corporate cash (“the email”)- San Francisco Business Times
Bangladesh Central Bank Found $100 Million Missing After a Weekend BreakWall Street Journal
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Payment Trend
AFP 2016 Payment Fraud Survey
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Size doesn’t matter
AFP 2016 Payment Fraud Survey
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Check fraud– Altered checks– Forgeries– Counterfeit checks– Remotely created checks– Lockbox Scam– Etc…
Electronic fraud (Unauthorized ACH/Wire)– Corporate account takeover– Check conversion counterfeits– Social engineering - Phishing/Spear Phishing– Keystroke software– Password engineering – (birthdays, Fido1234)– Etc…
Credit Card & P-card
Types of Payment Fraud
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Wires – Second to checks
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Business Email Compromise (BEC)
FBI – Internet Crime Complaint Center (IC3)
64% of participants in 2016 AFP survey exposed to BEC
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 12
There are several risks and exposures
– Internal threats• Theft or malicious acts• Human error
– External threats• Social Engineering – hacking your process (Rock Group’s experience w/ BEC)• Technical (security exposures, remote control)
– Environmental• Denial of service• Act of god (Hurricane Sandy)
Framing the problem
12
Real Life Business Case (Rockefeller Group)
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
- In early 2015 Rockefeller Group was targeted by cyber criminals as fraudsters attempted to deceive the organization into transferring $8M for a fraudulent acquisition
- Fortunately, the attempt failed
- The fraud attempt was credible and sophisticated in its construction
- Email appeared to be coming from CEO’s email account and was written in a style that effectively mimicked CEO
- Fraudulent acquisition consistent with company’s prior history of acquiring UK subsidiaries
- Email targeted Assistant Treasurer on day that Treasurer was out of the office
• The fraudulent payment may have been made if it were not for the payment protocols that our organization has in place to ensure all wires are legitimate and accurate
Fraud Attempt - Background
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
- Rockefeller Group has a system of payment protocols in place that protected the company from being a victim of fraud, including:
- Segregation of duties
- Physical and electronic forms
- Payment authorization limits
- Kyriba workstation
- Bank controls (positive pay, ACH debit block, etc.)
- Employee education
- Written policies that are widely communicated
- Hiring employees with high integrity
- Internal and external audits
- Senior management understanding and active support
Payment Protocols
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
- Returning to our fraud attempt, let’s discuss specifically why it failed:
- Segregation of duties: Assistant Treasurer would not have been able to input and release the wire on his own in our Kyriba workstation; would have required assistance from Cash Manager
- Physical form / Payment authorization limits: Payments can not be released without a physical signature from the requestor and an approver with sufficient authorization
- Kyriba workstation: Prevented the Assistant Treasurer from releasing a wire above a certain threshold; only IT department with approval from Treasurer can raise threshold
- Employee education: Members of the Treasury department had recently taken part in fraud prevention seminar
- Written policies that are widely communicated: Assistant Treasurer was well aware that he was unable to process wire without proper support
- Hiring employees with high integrity
Payment Protocols
Best Practice Recommendations
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 18
Look at all of the components, procedures, partners and communication channels
• Determine all places where your data originates, is transported, and stored
• Evaluate both current level of security and existing exposures
• Review your payment procedures and initiation controls
• Involve partners are both internal (AP, IT, Audit) and external (Banks, SWIFT, Vendor)
• Evaluate potential for loss of control and inability to execute
Develop an action plan
• Response team
• Review each potential type of breakdown
• Enhance protection where possible
• Create response plan for inevitable breach
• What are acceptable and unacceptable risks
Action plan
18
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 19
Understand liability and insurance• Who has liability in case of an event?
• Understand your vendors’ and banks’ liability coverage and your comfort
• Use insurance riders and/or cyber insurance as an umbrella (could be multiple policies)
• Be sure monetary and securities are covered
Leverage experts• Bank and vendor recommendations
• Focused Treasury Risk Assessment (not general) as well as Corporate Payments and Cyber Risk
• Expert advise and best practices
• Outside perspective
• Regular tune-ups
Action plan
19
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 20
General Recommendations: Technical Controls
20
CompanySaaS
HostedTMS
SWIFT Bureau
Bank
• Who has access to data?
• What users have permission to initiate?
• What are the physical security controls?
• Are transmissions encrypted?
• Are communications unreadable and unalterable?
• Robustness of connectivity
• Authentication of messages and sender
• Alternate initiation plans
Areas of vulnerability:Boxes are areas you, vendors or banks must be sure are secured. Arrows are communications channels to be protected.
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 21
Review policies and controls
Encrypt, encrypt, encrypt• Data at Rest must be encrypted.• Data in Flight must be encrypted.
Verification• Acknowledgements/confirmations• Central frequent monitoring of data and workflows• Digital signatures (e.g. Two Factor Authentication, SWIFT 3SKey), checksum and secondary validation to
authenticate payment files
Action plan for breach or incident Proactive vs. Reaction
General Recommendations
21
CompanySaaS
HostedTMS
SWIFT Bureau
Bank
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
Kyriba
Treasury Strategies
Your banks
AFP
Other
– FBI Internet Crime Complaint Center IC3 (http://www.ic3.gov)
– Federal Reserve (http://takeonpayments.frbatlanta.org )
– NCFTA (https://www.ncfta.net)
– FFEIC (https://www.ffiec.gov/cyberassessmenttool.htm)
– US Secret Service Cyber Intelligence Center
Resources
‹#›© 2014 Kyriba Corporation. All rights reserved. PROPRIETARY & CONFIDENTIAL.
A Matter of WHEN, not IF
“When the time for decision arrives, the time for preparation has past”– Tom Monson
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 24
Additional Resources
eBook: Six questions every treasurer should ask about their cash forecasting process
http://kyri.ba/FraudQuestionsEbook
White Paper: Leveraging Treasury Technology in the War Against Fraudhttp://kyri.ba/TMSagainstFraud
© 2015 Kyriba Corp. All rights reserved. PROPRIETARY & CONFIDENTIAL. 25
Thanks for attending
facebook.com/kyribacorp
twitter.com/kyribacorp
linkedin.com/company/kyriba-corporation
youtube.com/kyribacorp
slideshare.com/kyriba
kyriba.com/blog