Growing companies go through many transitions: adding additional staff, expanding their customer base and engaging new suppliers. This growth translates into a need to formalize organizational financial processes, including the treasury function.
Prior to evolving into a true middle-market company, many organizations operate with their CEO acting as CFO, possibly supported by a bookkeeper and accountant. But as deposits grow and the dollar amounts flowing into and out of the company increase, financial professionals are needed for balance sheet management, payment processing and strategic insight.
While the business growth phase is fast-paced and exciting, innovation and expansion should not overshadow the need for effective risk management. Put simply, adding employees and customers to your roster and engaging in new vendor relationships creates added complexity and exposes an organization to additional risk for breaches, information leaks and fraud—topics that are top of mind for most companies.
‘A Daunting Prospect’
In a 2016 TD Bank survey of treasury and financial professionals, 34 percent of respondents identified the risk of payments fraud and cybersecurity threats as their greatest challenges. Their concern is justified: 74 percent of participants in the Association for Financial Professionals’ “Payments Fraud and Control Survey” reported their companies were victims of payments fraud last year.
These threats are unlikely to go away soon. A 2017 TD survey found that 91 percent of financial professionals believe these types of incidents will become a bigger threat over the next few years—a daunting prospect to a business in the midst of operationalizing a treasury management function.
“A smart middle-market company will look for opportunities to invest in and operationalize its fight against online criminals.”
Along with the potential for breaches, the costs of cyberattacks and payments fraud can range from hundreds to hundreds of thousands of dollars in losses. Check fraud losses, for instance, average between $1,000 to $2,000, according to the American Bankers Association, while the FBI reports that wire fraud losses average more than $130,000. These amounts do not include the indirect costs to a company of actions like investing in risk-management solutions and reimbursing affected parties, and the potential revenue losses due to reputation damage.
Stay a Step Ahead
Combating these risks means that middle-market companies need to step up their defenses. While there is no single, guaranteed solution, every participant in the business financial ecosystem—financial institutions, third-party payment processors and companies—must do their part to help prevent and minimize cyberattacks and payments fraud.
Many companies already have some amount of risk processes in place, but a smart middle-market company will look for opportunities to invest in and operationalize its fight against online criminals. Companies looking to reduce fraud and cyberrisks should consider taking the following steps.
Review and reconcile bank accounts daily to check for discrepancies, which will help flag suspicious or missing payments or wires almost immediately.
Verify all payment orders or account changes issued by company executives, customers or vendors by phone or in person, instead of relying on email confirmation.
Segregate employee functions: No employee should be responsible for both recording and processing a transaction. Limit the number of people who can authorize purchases and set a dollar limit that each employee can authorize.
Designate a computer to be used exclusively for banking transactions and restrict all other internet and email use. Do not access company financial information on any other computer. This will help block the most common entry point for cybercriminals.
Create strong passwords, change them frequently and prohibit the use of shared usernames and passwords. Make sure to update login information if an employee leaves the business.
Do not click on links in emails that indicate your bank needs you to update account information online. A financial institution would not email (or text) a customer to obtain or update this information.
Conduct background checks on all new hires, including contractors. Many successful cyberattacks leverage someone who is familiar with a company’s systems.
Train and educate employees about fraud and how to spot suspicious emails.
Form and maintain a committee for risk and fraud management. Cybercriminals are continually innovating their techniques, and executives need to meet the challenge by staying up to date on the latest technological and security solutions.
Even the most basic controls can go a long way in thwarting thieves. Sometimes common-sense solutions, such as establishing an open-door policy with the CFO for employees to verbally verify account change requests, can dramatically impede theft.
Taken together, the steps above will create a more solid security framework. In the meantime, implementing at least one of these best practices in the next 30 days can put your growing company steps ahead of fraudsters.
ACG is helping to educate lawmakers about the cybersecurity risks that middle-market companies face. Read more about those efforts.