The European Association of Corporate Treasurers (EACT) has published a guide to ensuring your company is protected from cyber threats. Produced by the EACT's CyberSecurity Working Group, the guide is a collection of best practices including pointers on treasury infrastructure, minimising the risk of external connections and protocols for manual interactions. The EACT states: “Treasurers need to ensure that controls are in place to protect the corporate assets and, as such, should take a lead role in protecting the company from cyber threats.”

Some of the main principles outlined in the guide include:

Creating a cross-business team

Those working in a company's IT, data security and internal audit need to work closely and pool expertise to “audit risky processes, run security penetration tests, and then jointly assess the levels of risk to the organisation before determining an action plan”.

Protect treasury infrastructure

The guide provides a useful list of starting points for assessing the risk to treasury systems:

• How is your treasury infrastructure (servers, switches, storage, routers, modems, leased lines, etc.) physically restricted from tampering?
• Do machines with access to the treasury infrastructure have unused ports and external access ports (e.g. USB) blocked to prevent someone installing malware?
• Do any machines on the network have access to the internet or email where someone could accidentally download a virus/malware? If so what mitigations are in place to reduce the risk?
• Do all the systems in the network use a firewall, antivirus, have up-to-date operating systems and antivirus signatures?
• What level of authentication is used for key users (e.g. admin or payment authorisers)? Is a username and password sufficient or should two-factor authentication be considered?

Risk from external connections

Protecting treasury and company data when it leaves the treasury infrastructure is just as important. Again, the EACT guide recommends considering the following potential weak points:

• Does your system extract the data from the ERP system and then encrypt it or does the data come out encrypted? If it is extracted unencrypted, who has access to the folders where the data is stored?
• If you have any systems on the cloud, is your cloud provider ISO 27001 certified? Does your cloud provider transfer data to unsecured servers at any point? Are employees from the cloud provider vetted?
• If you are using a SWIFT service bureau, do they have certification from SWIFT to operate and can they provide a SAS70 type II audit report? Are they compliant with the latest version of SWIFT SIP Release to attest their level of security?
• If third party vendors have access to your network, are their cybersecurity controls and incident response appropriate for the services they provide and access they have?

For more details from the EACT on how to improve your company's response to cybersecurity threats read the full guide here.