The technical committee of the DACT raised earlier attention to cybersecurity risks, amongst others to the framework from the World Economic Forum and Deloitte. This work is largely focused on creating a resilient response model from a standalone corporate (treasury) perspective. TNO, the Dutch applied science research institute, recently published a report “When the chain itself is the weakest link; Cybersecurity in the supply chain” that suggest that the standalone approach might not be sufficiently successful anymore. A recent example of a supply chain disruption is Cheesegate, which left a large retailer with empty cheese shelves.
The TNO report states that attempts to hack company networks is being forced via suppliers and business partners that might become risk vectors. An example of this threat might be the MS Exchange Server Breach. Another entry point to company networks might be through malicious software (malware) or by abusing an unknown vulnerability and every company that uses the program can be infected. An example of this risk might be Solarwinds that affected even US Homeland Security and the US Treasury Department. Another susceptibility arises for companies that recently acquired a company and have not yet integrated these entities in their security network. The acquisition of older or customer-specific software and applications increases the vulnerability and complexity of the IT security landscape.
Complicating factor might be the move to the cloud, also for finance applications. Recent investigations from the State of DevSecOps report shows that cloud breaches have been pretty rampant over the last two years and the latest research revealed that this trend will likely increase in velocity and scale. Misconfigured cloud storage services were commonplace in 93% of cloud deployments that were analyzed. Most deployments also had at least one network exposure where a security group was left wide open. These two practices alone have been at the center of over 200 breaches that exposed 30 billion records in the past two years. Also the COVID-19 initiated work-from-home trend is an additional factor that complicates the IT security infrastructure.
Just as the thought might arise, this is about supply chain risks, be aware that the physical supply chain has a monetary supply chain as well. From a PwC analysis we know that European companies rely on an average of six different applications for their core treasury function, typically including their ERP, TMS, spreadsheets and a Market Data Provider. Their IT landscape can also include more specialised solutions for deal capture, valuations, confirmation matching, payment processing, regulatory reporting and commodity risk. The wider financial IT landscape might also include systems for receivables (securitisation) finance, supply chain finance, account receivables processing, consultants with their own laptops etc.
The TNO report provides some guidance on dealing with network vulnerabilities, besides the standard software updates, patching, restricting rights of employees or partners namely: study practices in other sectors (www.securitydelta.nl might be a good starting point) and share cyber threat intelligence with sector partners. Accenture, the professional service company, adds the following steps: supplier management (include security requirements in your contracts), asset management (know your applications), people awareness (apply the same strict security standards to individuals as to suppliers, including contractors), monitoring and cyber threat intelligence and continuous third party risk management (their security is your security).
In case you feel that the DACT can contribute in this process via webinars or an active exchange of cyber threat information, please contact your DACT representative via: firstname.lastname@example.org