Assistant treasurers exchange recent scary cyber tales of success and failure.
In a breakout session at NeuGroup’s Assistant Treasurers’ Leadership Group focusing on securing companies from cyberattacks, members recounted recent experiences and the conundrums they face combating them.
Digital protection, à la carte. NeuGroup’s own Scott Flieger, director of peer groups, said a fellow member of a college board who runs a cybersecurity advisory firm recommends companies make a menu of their digital assets, from bank accounts onward, and seek to value them. Then ask how much the company is willing to pay to protect that asset. He added that few understand a company’s digital assets better than assistant treasurers. “Being the person in treasury who has an inventory of the digital assets and can value their importance—that’s an important position,” Mr. Flieger said.
Bad timing. The email system of a NeuGroup member firm’s collections team was compromised, revealing all its customer contacts. The fraudsters then sent realistically scripted emails to customers requesting payments be sent to a different bank and providing the necessary details.
The member’s security team wanted to alert customers, but it was two weeks from quarter end, “and you don’t want to spook customers so they don’t pay you—a real treasury issue,” the member said.
Cyber reticence. Companies develop their cybersecurity plans internally, but then what? “One of our biggest challenges was that people don’t want to talk about cybersecurity,” one participant said, noting wariness about discussing the plan with third parties.
- “We had a hard time finding peers to benchmark against, and we were paranoid as well, creating a special NDA that we made all of our banking partners sign before talking about our cybersecurity,” he said. Even his team’s discussion about how to store the plan was challenging, “because we effectively created a playbook for how to hack us.”
Cryptocurrency conundrum. A ransomware attacker may demand the transfer of $50,000 in Bitcoin to a cryptocurrency account to unfreeze a company’s system. If news breaks on CNBC about the attack, pressure will mount to meet that demand, but opening cryptocurrency accounts takes time. Companies may open cryptocurrency accounts in preparation for an attack, but would this information becoming public in an earnings call invite such attacks? And should any payment be made at all, given that the attacker could be a terrorist organization?
- One solution: “We back up all our data, even on the desktops, so if we get locked out of our primary system, we can just reload everything,” one member said.