2. for the treasurers of the small or
midsized organizations. But any
John A. Pendley
Information Security and Cloud-Based
Computing: Tools for the Corporate
Treasurer
C
orporate treasur-
ers are responsible
for a great variety
of activities. In addi-
tion to policymaking
roles, treasurers may
also be responsible
for certain day-to-day
activities, particularly
those related to cash
management and
investment policy. For
example, some treasur-
ers are responsible for
the management of
customer invoicing, bill
payment, cash trans-
fers, and securities pur-
chases and sales. With
such a wide breath of activities,
it seems overkill to add informa-
tion security to the mix. But,
unfortunately, such must be the
case in today’s information pro-
3. cessing environment.
This article describes cyber-
security issues for the financial
treasurer. The treasurer faces
some unique challenges because
of the low-volume, high-value
transactions typically handled
financial manager
involved in treasury-
related functions
should have a work-
ing knowledge of
data security basics.
ARE YOU
PREPARED?
Many types
of data routinely
handled by treasury
departments are
vulnerable to data
loss or compromise.
Cash transfers are
routinely made in
order to manage
cash balances and ensure the
availability of funds across the
organizations’ functions. These
transfers involve important and
sensitive data, including account
numbers, passwords, transaction
identifiers, and routing numbers.
5. When technical expertise is
lacking, as it is in many small
organizations, the treasurer can
take some basic steps to cre-
ate a more secure environment.
Exhibit 1 contains some funda-
mental best practices for data
security.
TOOLS AND SERVICES
Often, more comprehen-
sive solutions are needed. The
department may engage in
complex transactions that are
executed across multiple IT
environments, or cloud-based
systems may be employed.
In these situations, a third-
party consultant or software
services company should be
employed.
The list in Exhibit 2 is given
as a starting point. These com-
panies are vetted for the list as
follows:
1. The company is a major
sponsor for the informa-
tion security conference
Black Hat USA 2014.
Black Hat (www.blackhat
.com) has organized
information security
conferences in the United
6. States and internationally
for 16 years. It is well
known in the cybersecurity
industry for meetings and
information sharing.
2. Products for SMEs are
described on the company’s
website. This means that
the company markets prod-
ucts and services specifi-
cally for smaller organiza-
tions. The company will
likely have comprehensive
security products created
Treasurers must also be
aware of a wide variety of
cybersecurity laws and regula-
tions that cover the data being
processed. Laws such as the
Health Insurance Portability and
Accountability Act (HIPAA;
health information privacy),
Dodd-Frank (financial system
regulation), Sarbanes-Oxley
(financial reporting and internal
controls), and industry security
standards such as the Payment
Card Industry Data Security
Standard (PCI-DSS) may apply
to data generated or processed
by treasury. Privacy laws and
cybersecurity regulations cover
all sensitive data, but most affect
financial systems that use the
7. Internet heavily or are imple-
mented in virtual environments
(i.e., in the cloud). Compliance
issues are complex and should
be considered carefully based on
the industry and function of the
organization and the breadth of
the treasurer’s duties.
It must be mentioned that
most treasurers do not handle
these issues alone. If a company
has a dedicated IT security
staff, a good system of IT gov-
ernance, and an effective IT
audit function, the company
likely possesses the expertise
to protect financial informa-
tion assets and comply with
applicable regulations. But
many treasurers do not enjoy
the day-to-day support of sig-
nificant information security
expertise. In particular, many
small and medium sized busi-
nesses, governmental units, and
nongovernmental organizations
(NGOs) cannot afford in-house
cybersecurity specialists.
Even in larger companies
that employ security special-
ists, their time may be devoted
to other areas such as overall
enterprise security, software
change control, network
8. identifiers, and serial numbers.
Payment systems, another trea-
sury function in many organiza-
tions, can contain credit card
numbers, security codes, and
customer and vendor data. All
of this information is subject
to threats, such as malware and
data loss, and is affected by com-
pliance issues, such as privacy
and security laws.
Malware established in
treasury systems can quickly
compromise significant amounts
of high-value information. To
protect in-house systems and
networks, a firewall is typically
created to protect the company’s
information assets. However,
breaches can occur when unau-
thorized software (that can
contain malware) is introduced
behind the firewall. Thus, when
employees download and install
personal software, open personal
e-mail, click on e-mail attach-
ments, surf personal sites at
work, or leave applications open,
malware can be introduced and
gain a footing in the system.
Many companies are lever-
aging advanced technologies,
such as cloud computing, to
10. • Create a standard security configuration for browsers and e-
mail software. Establish a policy to prevent
alterations to the standard configuration.
• Establish policies concerning using and configuring other
software and installing new programs.
• For centralized accounting software, create authorization
layers and associated passwords and assign a
responsible employee to review security reports.
• Backup files frequently. Consider automating the process. If
the organization does not have a business
continuity plan, consider starting one.
For web-based financial systems and cloud-based environments:
• Analyze the data communicated over proprietary systems
or stored in cloud-based environments. Con-
sider laws and regulations that apply to the information and
ensure that you are in compliance with all
privacy and security provisions for the data being transmitted or
stored.
• In a cloud-based environment, make sure that sensitive data
are encrypted using an established and
secure algorithm and that proper controls are maintained over
the encryption keys.
For any environment:
• If you (or your firm) lack the in-house technological
expertise, contact an outside expert to conduct a
security review (see Exhibit 2 for some suggestions).
11. • Learn more. The Department of Homeland Security, for
example, maintains web resources that are a good
starting point for learning about cybersecurity. See
www.dhs.gov.
Exhibit 1
Companies That Can Provide Conventional and Cloud-Based
Data Security
Solution
s
Company Product and Services Site
KPMG LLP Risk management consulting services
www.kpmg.com
Mandiant Security consulting and incident response
www.mandiant.com
SecureWorks A Dell subsidiary that provides a variety of
information
security services
www.secureworks.com
13. areas:
• Prevent of data
breaches,
• Eliminate data loss, and
• Comply with cybersecurity
and privacy laws and
regulations.
traditional financial controls
over treasury department trans-
actions. Physical security of
assets, segregation of duties,
and cash controls are common
and well understood. What is
described in this article is add-
ing a set of IT and cybersecu-
rity controls to the mix. These
for and priced for that
market.
CONCLUSION
14. Because of the nature of
treasury operations, most orga-
nizations have a strong set of
John A. Pendley is Associate Professor of Accounting at the
Sigmund Weis School of Business at Susque-
hanna University, in Selinsgrove, Pennsylvania. He can be
reached at [email protected] .