Invite 165 or so treasury managers and other financial leaders and practitioners in a room, tell them you’re going to put them through a cyber-attack simulation, and advise that their actions will directly influence the exercise’s ultimate outcomes. Will
they agree to do it?
Of course they will! Especially since, according to an IBM study cited by the AFP national conference session organisers, the average cost of a data breach in 2024 is almost $5 million, with that expense figure representing an increase of 10% just in the past
year.
Chris Baker, director of Business Disruption Risk for Citi; Chris Bontempo, chief marketing officer for Johnson Controls; and Dan Potter, cyber resiliency expert from Immersive Labs presented a program at the Association for Financial Professionals (AFP)
national conference with insights that were more eye-watering for most than biting into a Nashville hot chicken sandwich. Their focus was not just sharing the shocking news about cybercrime but arming the finance professionals in the audience with smart, sensible
advice on how to best protect their organisations from the increasing threat of computer-based attacks.
System breaches affect many more areas and departments than just IT
Potter, who created an interactive simulation with a chain of decisions driven by audience response, kicked off the session with his thoughts on why it was so important, and challenging, to be prepared for the worst: “Security is all about having really
good technology, really good security organisations. Your CISOs (chief information security officers) need to know how to protect your organisations and help them recover and respond to a disruptive event. But increasingly, it's important to think of 'cyber’
not as just something in the digital domain, things that happen to technology, even though it is an attack in the technical space.”
Instead, he pointed out, “there's loads of examples about how the initial disruption creates cascading impact to every organisation in this room, every individual in an organisation, whether you're responsible for technology, security, treasury management,
human resources, and so on.”
As the members of the audience were directed to join the cyber-attack simulation exercise via their mobile devices, Citi’s Baker wryly promised that the QR code they were scanning was “safe” and that their information would not be collected – something he
cautioned them to be aware of in any other scenarios where they were told to scan a code outside of known, safe applications.
Bontempo, formerly of IBM before he joined Johnson Controls, explained why the panel felt using a game as a teaching tool was so important: “The reason is how you respond to a cyber incident. And you may think, ‘Oh, I'm not the technology person, not the CTO,
not the CIO, I'm definitely not the CISO. I'm in this room. Why are you talking to me about this?’ Because what we found with organisations is how you respond to an incident is critical to the ultimate impact that it can have on your company, your supply chain,
your customers, and will ultimately tell the story of what happened with that incident.”
Survey cost figures likely understated, but some bright spots around breaches in 2024 report
The Johnson Controls CMO’s sobering message for the professionals in the room – typically representing larger companies than the average of the 1,000 multi-industry security teams surveyed for the IBM Cost of Data Breach report that led to the 2024 cost
figure of $4.8 million per cyber breach - is that “Your mileage may vary...but for most of you, if you have an incident or a breach, it's going to be a ‘mega breach’. So, multiply that number by 100 and you get the average cost - you're talking into the hundreds
of millions of dollars.”
As one glimmer of “hope” to session participants, or at least an inducement to pay attention, Bontempo offered another fact from the 2024 survey that regulatory fines had increased 22% for organisations found to be weak in their cyber resilience measures.
“You may think, ‘Well, I don't want to pay more fines,’ but it shows that there's more regulatory attention on getting people up to par with their cyber security program.”
Another improved statistic in the 2024 report was the length of time required to detect, identify, and fix cyber breaches. “The average time it took for us to identify and contain a breach actually dropped for the first time ever this year, down to 258 days.”
Cold comfort for most though, asserted Bontempo, noting that “258 days is a ridiculously long time, though it used to be 290 days,” and using a relatable analogy, he continued, “You have a baby in 290 days – so, 258 is a better outcome. It shows that the remediations
and improvements we're putting into our cyber resilience programs are actually working and having an impact.”
AI measures can be a big help when cyber incidents occur
The IBM cyber incident report also found that AI is a big plus for information security, Bontempo said.
“If you adopt AI in your cybersecurity programs, you will have a lower impact with your cost of the journey - and that's a positive.” He pointed out that more organisations are adding AI into their security approaches.
The final positive figure surrounded the percentage of firms that detected a breach themselves, which increased 26 points to 46% vs. the 2023 study. "What does that mean? It means you're not waiting for the cyber criminals to tell you that they've just hacked
you, and now you have to pay up. It means we're getting better at cyber security.”
Unfortunately, phishing emails continue to be a problem, and have increased. Pointing out that October is
Cybersecurity Awareness Month, Bontempo jokingly asked for a quick audience response. “How many of you have noticed a decrease in the number of phishing emails you're getting?” After a pause, “Let the record show nobody raised their hand. You're all getting
hit.”
Cyber-attack simulation: one thing leads to another, and none of the choices are fun to make
The simulation itself consisted of a series of developments and potential courses of action. Each audience participant was asked to submit their suggested responses to several succeeding questions posed following a base cyber threat scenario – what appeared
to be a minor problem that evolved over time because of implementing the most popular choices of the audience at each step.
The results? Cascading impacts as the simulated cyber-attack scenario unfolded. Consider the following scenario:
- You are the Nashville-based treasury manager for a fictitious organisation called Orchid Corp, a company with 2,000 employees and $200 million in revenues. At 15 years old, Orchid is going through lots of change.
- Orchid Corp’s annual Investor Day is coming up. Your boss, the CFO, is based in New York, and just logged in to her computer at 7:00 am before her meeting with the company’s banking partners, but she can’t access the system, so she asks her assistant to
log a ticket with the IT help desk. “I don’t need my computer to run the upcoming meeting.”
- Unfortunately, at 8:45, that first meeting is over, and still no update on the system issues. In fact, the IT desk says two more colleagues can’t get into the system.
Audience questions after this began with “Who do you call next?” and the responses varied across the map. Ultimately, most in the room chose to “Call the CISO and ask them to find out what’s going on.” From there, the cascading problems, with various response
options offered, continued.
Next came the ‘crisis call’ to discuss the situation, as more employees find they can’t access company systems. Lots of beeps, conflicting messages, some ignored requests, as (mostly) every company leader joins the Teams, Zoom, or whatever communications platform-of-choice
call. It’s confusing, time-consuming, and concerning.
Now, you are being asked on the call if you agree to an immediate shutdown of all your treasury systems. That should prevent or reduce the risk of data theft of sensitive client and supplier info. But at what cost? “Maybe we could just delay that shutdown for
a bit while the CISO team figures out what’s really going on?” Various other options are proposed. Meanwhile, more staff are finding access isn’t available to them either. You have backups, so you could go to that system, but nobody has ever really tested
it, so more questions and concerns arise.
You (the treasurer) decide to take 30 minutes to decide how to react, to speak to some key stakeholders on your team and elsewhere in the organisation for advice. One question is “Could we convert to all-manual access for our payroll and other payment activities?”
Within a couple of hours, it’s discovered by a banking partner, who called you on the phone to inform you that one-third of a million dollars in “suspicious” payments has been wired out to Vietnam without prior access. But you had not told the bank you had
a problem yet, so they didn’t hold the payments and you still don’t have access. You’ve got real problems, and no pre-planned strategy to handle them.
Communication must begin in the planning and testing phases of cyber response preparation
As the panel observed the audience’s continuing responses with the outage escalating further, Citi’s Baker noted how important it is to establish key communication lines up-front and keep them open throughout such a situation. Not just internally, but externally
as well. Organisation leaders must trust each key staff member’s capabilities and insights on what to do next, considering various critical factors, in such emergency scenarios. This level of trust and preparation can only be gained, he emphasised, through
pre-planning and testing, and having well-placed confidence in people and backup measures. Without these, a situation like the one simulated could get much worse.
One simple suggestion, to have a “500-page” disaster “playbook” to guide responses, seemed sensible to all in the audience, and in fact many treasury staffers indicated that was an approach within their organisations already. Except, as Baker said, “for the
people like you in this room, we need the one-page checklist” instead, to enable quick decisions beyond all the deep, technical details that IT would be investigating and, hopefully, resolving.
So many questions, he explained, would be going through management’s collective heads at such a time, and it’s critically important to rehearse such questions, dependencies, and potential outcomes ahead of time. That will make the alternatives to consider much
clearer and more actionable, even if the cyber-attack continues beyond expected timelines or IT control efforts.
Costs of actions must be explored, relationships with key partners established in advance
As the session’s thought-provoking cyber breach simulation wound down, with no clear resolution for poor Orchid Corp’s treasurer, Bontempo added his own recommendations regarding setting key priorities, and in terms of the cyber-attack ‘playbook’: “Pro tip:
If your 500 page playbook is a PDF on everybody's computers, that’s not good (since the computers are, by now, completely shut down by the IT team, or inaccessible in any case), so, print everything out and plant more trees.”
Given the likely costs of such a scenario, not just in financial terms but potentially in reputational risk or even criminal charges or fines, Baker warned the audience members of at least two other key external parties to involve and become acquainted with
before a cyber incident or other attack occurs:
“Be prepared. You don't want your first interaction with law enforcement or the regulatory authorities to be on the day of an incident. You want to have those relationships built up beforehand, so that you've got a little bit of trust back and forth. You
know who to call, and they trust you. You do it on the day of an incident - and you're playing from behind.”