There is a cyberattack every 39 seconds, on average, according to a study by the University of Maryland’s Clark School. Cybercriminals are infiltrating organizations and compromising computer networks, information technology infrastructure and systems, particularly corporate payment systems. These attacks are opening the doors to more fraud.
Global losses from payment fraud tripled from US$9.84 billion in 2011 to $32.39 in 2020, and losses are projected at $40.62 billion in 2027 – 25% higher than in 2020 – according to Merchant Savvy Global Payment Fraud Statistics, Trends & Forecasts (2020).
Concerns about fraud and cybersecurity are growing. Between February and March 2022, the LAPSUS$ hacking group initiated cyberattacks against Microsoft, Nvidia, Okta, Samsung and other companies. Last week, US President Joe Biden warned US companies of potential cyberattacks from Russia.
According to the 2022 Treasury Fraud & Controls (TF&C) Survey Report produced by Strategic Treasurer and underwritten by Bottomline Technologies, 78% of respondents (comprising over 230 treasury and finance professionals from corporations and banks around the world) had experienced fraud and suspected fraud during the preceding 12 months. Eighty-four percent of respondents indicated their perception that the threat level from fraud had increased from the previous year.
The COVID-19 pandemic exposed the dependencies in global supply chains, and the Russian invasion has thrown another wrench into long-term supply chains and logistics. The Russia-Ukraine conflict is likely to impact risk management in organizations near and far. Cybersecurity is a critical component of risk management, and managing the risk of an organization’s supply chain network is becoming increasingly important as corporations seek to extend their global reach.
Supply chain cyberattacks (also known as third-party or value-chain attacks) are emerging as the hackers’ new favourite weapon, exploiting a weak link in cybersecurity. Attacks on an organization’s supply chain network have ripple effects. A single compromised or exploited supplier or third-party vendor (a single hack) can result in attacks on hundreds of thousands of companies around the world.
In July 2021, enterprise information technology company Kaseya became a victim of a major cyberattack. Cybercriminals carried out a supply chain ransomware attack by leveraging a vulnerability in its VSA software directed against managed service providers (MSPs) and their customers. Kaseya said 60 customers and 1,500 companies, all of whom were using the VSA on-premises product, were compromised and impacted by the attack. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain.
Given the growing complexity of the supplier network (suppliers and buyers) and increasing reliance on third parties, corporations are expected to perform cybersecurity due diligence around their supplier network. Yet only 23% of all corporate respondents in the Strategic Treasurer 2022 TF&C survey report assessed cybersecurity due diligence of all relevant vendors. Twenty-three percent of corporate respondents focused on cybersecurity due diligence of major or critical suppliers and those that are more digitally closely connected.
What is concerning is that while supply chain attacks are considered pernicious, 53% of respondents either do not (21%) conduct cybersecurity due diligence of their supplier network or are unsure (32%) of reviewing cybersecurity due diligence of their vendors.
In 2020, the SolarWinds hack triggered an unprecedented, massive and highly sophisticated supply chain security incident that affected hundreds of organizations (Microsoft, Cisco Systems, Intel and FireEye), including US government agencies. Several other major incidents during the past two years have also demonstrated the large-scale consequences supply chain attacks can have. Given the frequency and success of supply chain attacks thus far, and how compromising a business supply chain enables cyber saboteurs to gain access to an organization that provides software or services to many other companies, particularly finding a potential way into thousands of targets at once, the threat of continual supply chain cyberattacks is considerable and will remain so for the foreseeable future.
The inherent global nature of a supplier network that connects software, employees, customers, suppliers, vendors and other third parties, the rise and intensification of third-party or value-chain cyberattacks, and the ongoing Russia-Ukraine crisis all increase the possibility that one business and digital supply chain cyber hack can leave countless organizations vulnerable to fraud.
In such uncertain times, it is prudent to tighten corporate risk management practices and perform cybersecurity due diligence of all tiers of a company’s supplier network to minimize the risk of supply chain cyberattacks.
Supply chain tiering structure is comprised of three levels – tiers 1, 2 and 3. Tier 1 vendors (largest suppliers), which are considered the most important component in the supply chain, also pose the greatest risk to overall security.
Many corporations focus primarily on tier 1 suppliers. However, given that supply chain cyberattacks are an enduring threat and a growing menace for enterprises, it is becoming increasingly important for organizations to assess the cybersecurity hygiene of their tier 2 vendors and beyond, primarily because many of these companies are small and medium-sized businesses with limited security and compliance resources.
According to the Association of Certified Fraud Examiners (ACFE), a typical organization loses 5% of its revenue annually due to fraud. ACFE states, “As criminals continue to perpetrate fraud, it is no longer a question of if fraud will occur, but rather when it will occur at an organization.”
Managing modern corporate supply chains is becoming increasingly complex. The pandemic pushed supply chain attack issues front-and-centre, and the growing reliance on digital supply solutions has also set the stage for rising supply chain attacks.
Treasurers, considered as the superintendents of payment security, may regard cybersecurity due diligence of smaller suppliers as unnecessary, particularly those who only constitute a small portion of their overall spend. However, all it takes is one supplier to suffer a cyber breach to then expose sensitive corporate data and have a ripple effect across hundreds of thousands organizations worldwide.
It is time for treasurers to drill down deeper into their supply chain, looking multiple layers beneath their tier 1 suppliers to mitigate the impact of supply chain attacks. Otherwise, it may be just a matter of when and how they become a victim of fraud.
To download the 2022 Treasury Fraud & Controls Survey Report, please visit strategictreasurer.com/2022-treasury-fraud-and-controls/
Like this item? Get our Weekly Update newsletter. Subscribe today