The Treasury Update Podcast by Strategic Treasurer

Episode 204

Protecting the Flow of Your Business: A Series on Cyber Security

Cyber coverage is a cutting-edge product in the industry, but it is responding to a very dynamic threat. With the average cost of a cyber insurance claim now as high as $8MM USD, pressure is mounting for better cyber hygiene and security due diligence. In this podcast, Craig Jeffery sits down with Adrienne Terpak of TD Bank and two special guests from Sterling Risk to discuss key points on insuring your company against cyber-attacks, while protecting the flow of your business.


Craig Jeffery, Strategic Treasurer

Craig - Headshot


Michael Fleischer, SterlingRisk

Craig - Headshot

Josh Weisberg, SterlingRisk

Craig - Headshot


Adrienne Terpak, TD Bank

TD Bank

Subscribe to the Treasury Update Podcast on your favorite app!

The Treasury Update Podcast on Spotify
The Treasury Update Podcast on iTunes
Episode Transcription - Episode #204: Protecting the Flow of Your Business

Announcer  00:04

Welcome to the Treasury Update Podcast presented by Strategic Treasure, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune it.


Craig Jeffery  00:19

Welcome to the Treasury Update Podcast. This is Craig Jeffery, I’m really excited about today’s topic. This is part of the TD Bank security series. Today’s topic is protecting the flow of your business. And we have a number of special guests on today. First, I want to welcome everyone to the podcast. First I want to welcome Adrian Terpak from TD Bank. Welcome, Adrian.


Adrienne Terpak  00:42

Thanks, Craig. I’m really happy to be here. And TD Bank is thrilled to sponsor this podcast series. We know how critical this topic is to our customers and the broader business community. As a commercial segment manager, my role is to continually improve the customer experience by understanding their needs pain points and expectations, tailoring solutions to fit their business and industry as well as providing relevant insights about what’s top of mind. And today, that’s fraud and cybersecurity. I’m really looking forward to our conversation.


Craig Jeffery  01:14

Great. And we also have Michael Fleischer. And Joshua Weisberg from Sterling Risk. So welcome, Josh. And Michael.


Michael Fleischer  01:21

Thank you very much. We’re happy to assist with the podcast today.


Josh Weisberg  01:25

Yep, very excited to be here. Thank you again.


Craig Jeffery  01:28

You know, if you’re listening, you’re in a small company, a medium sized company, a large company, this content applies to you, regardless of the size. Let’s begin with the situation. And I want to start with you, Adrian and then jump over to you, Michael, from a historical perspective, as well as what’s happening today. What should we be thinking about the situation with fraud, and how we protect the flow the cash flow our data.


Adrienne Terpak  01:55

In my day to day and working with my colleagues, we work with financial professionals, as you mentioned, in businesses that run the entire gamut from small business to large enterprises. And in my prior life, before TD Bank, I was a corporate treasury practitioner, also managing accounts payable and accounts receivable. So I know that side of the house pretty well, and the challenges that we deal with not just in managing the assets, looking to do investing and financing, but those payments that are flowing throughout the system, every day are subject to this security risk. And we see it having escalated over a number of years from the run of the mill check fraud that still exists today, because checks are still prevalent, but also escalating all the way to the cyber crimes, which we’ll get into a little bit more. But it really has elevated our senses in terms of what we need to look out for. There’s all types of attacks, different attack vectors, different ways, again, from running the mill check fraud, all the way through the various types of cyber crimes that we’re seeing that we need to be aware of, certainly elevating our defenses, and understanding what those are. And we’ll talk about that a little bit more as well. Understanding all those different types, as protecting the assets of the company is really, really important.


Craig Jeffery  03:35

Thanks, Adrian, and you’ve been with TD Bank for a number of years. And for the few of you who may not know TD Bank is one of the largest consumer and commercial corporate banks in the United States. Michael, maybe you just give a quick overview of what Sterling Risk is and then get us back into the situation that we find ourselves in with cyber crime.


Michael Fleischer  03:58

Sterling Risk is a full service risk management provider. We are involved in all forms of commercial insurance, we take a much deeper dive into assisting our clients with managing their risk from claims analysis host as well as assisting them with risk management processes that we will develop in conjunction with our clients prior to any kind of claims issues so that we can assist them in terms of protecting their assets, exposures, etc. To follow up with what Adrian said, you know, there’s there’s a tremendous amount of exposure today from the financial perspective. In addition, we have a lot of ransomware attacks that are being accessed via email system and the pandemic with the amount of remote workers has exacerbated and made this exposure much more than in prior years, so businesses are really being attacked from all ends, not only their financial ends, but anywhere that there’s access to their systems and data, you know, and customer base, etc..


Craig Jeffery  05:14

Yeah, thanks, Michael. And as Adrian had started off, and you took the baton on the situation, maybe you could continue that discussion with, you know, what’s changed in the environment, we’ve already said that things like ransomware have picked up, these things have increased over time. So the threat, the recognition of the threat has increased, continues to grow on a year over year basis. And that reflects the reality of these types of attack. But maybe you could start us off, at least on a macro level, what’s changed in the environment? And then I want to get Josh involved on this discussion as well. So what’s what’s been changing in the environment of not only the attacks, but really the nature of the defense, the claims, those types of items that help us understand the attacks, but the response to those attacks?


Michael Fleischer  06:00

To take a 10,000 foot look at where the marketplace was, say, five, six years ago, when cyber insurance was first introduced, it was very simple process applications might be as simple as name of the organization, how many employees and what’s your website?  That has developed to a much more stringent process today, where there’s a true deep analysis of, of every system, multifactor authentication is required, whether it be for accessing your financial systems, or your email systems, anything, you know, involving the internet, and this has become the current status as a result of the claims. Okay, claims cyber attacks are expected to hit $6 trillion in 2021. That figure is double the number in 2015.  Ransomware attacks were expected to cost businesses $20 billion in 2020. And that figure is 50 times more than 2015. So you take a look at those numbers. And you can understand that, you know, insurance companies are now paying claims that they never anticipated. And obviously, when insurance companies are paying significant claims, there has to be a change in underwriting process, pricing, deductibles, etc., and that’s, you know, what we’re really seeing in terms of the change in the marketplace, from when cyber insurance was first introduced to where we are today.


Craig Jeffery  07:38

So that’s some of the macro view on that.  I know there’s other things that have changed with COVID, this push to a work from home, maybe it’s time to pull you in Josh to talk about what else has changed in the overall environment? And what are we seeing maybe at a deeper dive with those those claims, other macroeconomic events that are influencing the risk management world? Sure. And thank you, Craig, and Michael did a great job of setting up some of those macro issues. You know, one of my job here at Sterling Risk, I’m the Chief Claims Officer, and my responsibility is to really oversee on a daily fluid basis, the kinds of claims that our clients are experiencing how to handle those claims through conclusion. So it’s really an opportunity to get a true finger on the pulse of cutting edge in terms of claims activity, especially in the cyberspace. And those claims are constantly changing. But the truth is that there is especially within the small business segment, I see a very core exposure that’s constantly repeating. And that really has to do, certainly with phishing attacks, Michael talked about some of the dollar based exposures that we see within the entire family of cyber claims. The reality is phishing attacks are growing exponentially year over year, from 2021 to 2022. The expectation is, historically over the past five years, you’re going to see something like a 700% increase in phishing attacks. And for small businesses that are trying to marshal their resources to effectively defend themselves against cyber threat with a limited amount of dollars that they can throw towards combating and eliminating or containing these exposures, it’s absolutely essential to understand this is where we’re seeing increase in potential cyber exposures. And that really kind of dovetails with something that I constantly say, which is when it comes to claims, the best defense is a good offense. Michael alluded to this before, you want to make sure that you’ve got proactive approaches to combating some of these issues, and particularly in the realm of phishing attacks, which again, are increasing year over year exponentially. The field of human intelligence, meaning training your employees, making certain especially within a remote environment where they’re potentially distracted, they’re not necessarily 100% focused, training on how to prevent phishing attacks, how to spot malicious links in an email, is absolutely mission critical. So kind of rounding out the point, the nature of the claims that we’re seeing absolutely have a nexus, particularly in the realm of phishing or spear phishing, or phishing attacks in general. And that kind of branches out from there into potential exposures related to ransomware, your systems are getting shut down, and you have to make a payment to a bad actor, in order to get access to your systems. Social engineering is obviously a classic exposure, that is, again only increasing over time, where malicious actors gain access to what appears to be legitimate requests for payment from a customer or a vendor, and you throw money at that fictitious actor, you’re now out those dollars that came from your checking account or your savings account. As you wire out those funds. The level or the depth at which you understand that threat on the front end is going to pay dividends for you, when you combat or negate that threat through proactive approach on the back end. A follow up question to that, you know, as you talked about the work from home, and the impact on the smaller businesses, one thing we see is the threat of the cyber attacks, the use of phishing, spear phishing, they’re more automated, and so they seem to be catching up smaller companies. Whereas before they’re more custom, and they were targeting larger prey, if you will. I’m sure you see some of that. But how is that causing companies to change not only in their training, but how they’re getting coverage? What’s becoming necessary from an underwriting requirements standpoint?


Josh Weisberg  11:29

That’s a great question. And Michael alluded to this earlier. So across the entire business class, meaning the entire class of cyber insurance underwriters, irrespective of the size of your organization, or the amount of premium, they’re becoming more and more aggressive in terms of the controls that they want to see in place to negate some of these threats. And they are going to want to see that you have, again, that human intelligence component, the training that you’re giving constantly to your employees so that they can spot these kinds of attacks, these phishing attacks. They’re also looking for what Michael alluded to before multi factor authentication, or systems that you can deploy to make certain that you’re not just relying on a password in order to get access to email systems, they want a token system or some other system in place to provide dual authentication, before you can access any electronic business records that belong to your organization. Those are really some of the core safety controls that we see are risk management controls that cyber underwriters are looking to see before they’re going to be willing to even quote your risk. Now, as your organization gets bigger, as the level of resources that you can deploy towards these threats becomes more sophisticated, you’ll be looking at other resources such as endpoint detection, that’s certainly something that cyber underwriters are going to want to see, they’re going to want to see, for example, that you have what’s called a breach plan, which is kind of the blueprint that you’re going to use in the event that you’re hacked, they’re going to want to see that you have a plan in place in order to deal with that hack, how you investigate to make sure that you can confirm the depth of the infiltration and what regulatory or legal obligations you might have to notify your customers, your clients that their personally identifiable information, their social security numbers, their bank routing numbers, if they’ve been compromised, you have to let them know about that. That’s another exposure that cyber underwriters want to make sure that you’re insulating your systems from through all these different approaches.


Craig Jeffery  13:19

So what I’ve heard you say is the application process or the the registration process has gone from a few questions, name, number of employees website, to a much more rigorous application process that looks across things like training, multi factor authentication, a number of controls, what else is happening is the length of these agreements, staying the same shortening getting larger? You talked about coverages and deductibles, what what’s happening there across across the border, generally, I’ll turn it back over to Michael, I think Michael can give our audience some more detail on what we’re seeing in terms of the changes in coverage that are definitely response to some of these growing exposures.


Michael Fleischer  14:00

Thank you, Josh.  There was a time where you might be able to obtain multi year policies as in other coverage forms. But as as this coverage is developed, and as certainly the loss history has mushroomed, you know, become so much more significant. Carriers are no longer providing multi year policies, they’re one year policies.  We’re seeing the reaction to organizations that have had claims.  They’re going to be receiving lower limits of coverage. They may be having to endure much higher deductibles or retention levels on these policies. If the controls that Josh outlined aren’t in place, there could be lower limits available for those or even certain coverages might be excluded if a particular client doesn’t have the right controls in place that the underwriters feel comfortable that there’s enough protection and that they’re not exposed. These are some of the changes that you’ve seen in the marketplace. You know, when it first was brought out it was a simple coverage that was really everybody was thinking was a throw in and just, you know, let’s add this coverage because it’s a nice add on, okay.  Now it’s probably become one of the key exposures in terms of losses and danger to a client’s, you know, organizations in their ability to run their business.


Josh Weisberg  15:20

And Michael raises a great point, just something to keep in mind the average cost of a cyber claim in the insurance space, and this is something that cyber underwriters track, the average cost is $8 million. Now, obviously, you’re going to have claims that are worth significantly less, you’re going to have claims that are worth significantly more. But those dollar pressures that cyber underwriters are looking to contain, have a direct correlation with some of the restrictions and coverage that Michael mentioned.  Just a couple of things to keep in mind. Obviously, cyber coverage is a more cutting edge product that’s out there in the insurance marketplace. But it’s also responding to a very dynamic threat. And so what you really want to do as you’re exploring, if you have cyber insurance, or you’re exploring the purchase of cyber insurance, you need to make sure that you have an understanding of what that cutting edge looks like. Just for example, with the threat associated with Ukrainian conflict, cyber underwriters are rewriting what’s called the war exclusion that’s built into their insurance policies.  That war exclusion is potentially going to expand now to include not just claims directly related to the conflict, but also what we would call spill over losses related somehow or another to what’s going on in the Ukraine. So for example, if a cyber attack or bad cyber actor were to perpetrate an attack here in the United States, that is in some fashion related either perpetrated by a Russian actor or some other third party, in response to actions undertaken by the United States, it’s possible that your claim related to that event will not be covered, depending upon the wording that’s in your policy. One of the other things that you definitely need to be on the lookout for, especially if you’ve had cyber insurance for a period of years, predating the pandemic, if you have workers, Michael alluded to this before, if you have employees that are working in a remote environment, if your policy is not set up to cover remote based exposures, you may not have coverage for cyber claims. So those are some of the constantly changing the fluid dynamic that’s involved in the cyber underwriting process. You have to understand what the threats are, and you have to make sure that your coverage is broadly constructed to respond to those losses.


Craig Jeffery  17:27

So a lot of moving parts.  A changing threat environment, changing requirement to get underwriting, changing working conditions and coverage levels. Some excellent, excellent points. They want to bring you back in Adrian, on this next section, it’s what to do the preparation response. And is there a scenario where things will get better? Either better preparation, a better response? Because we’ve had, we’ve had multiple years of things only getting worse. And at an accelerating level. Can you give us some more positivity after these Eeyore types shattered our smile.


Adrienne Terpak  18:06

I certainly can’t guarantee that the level of attacks will will wane. The fraudsters, as we know, continually find ways to evolve, you know, their tactics. Even in the ransomware realm. They’ve gone from, say, single extortion, if you will, to double extortion and multi level. So even using that as one example. But what I can say, and we work with clients all the time, who are really looking for this holistic assessment of where they are, not only from a security standpoint, but all of the services they use, you know, with us, you know, from payments to information reporting deposits and loans. But from a security standpoint, we advise them, it is all about layers, we can’t ignore that. The more layers you have, the better. I like, you know, what Sterling Risk is doing in terms of advising clients to really look across the board, more holistic view. And we advise that as well. And we tried to give clients ways that they can do that working with different partners, working with your internal resources. And even if you don’t have the technology expertise in house, that’s no excuse, you really need to seek that out. So whether it’s the financial professionals within your organizations, your technology partners, and those alliances have really come together, where we see the CIO or even the CISOs reporting to the CFO that’s really really important as well, that cross functional approach to protecting the company, the organization, the assets, the employees, as well as customers and vendors and securing all of that information. There’s certainly things like artificial intelligence and machine learning that yes, the fraudsters are using but so are we to combat all of these different and look for patterns and understand better kind of what’s happening, the new emerging ways that they’re looking to defraud not only the bank perhaps, or our customers and vendors, etc. The good news is that if we focus on a collective defense, it really does improve the overall posture that we have across the financial ecosystem. And we see that even when we think about CIS,, a lot of the other non for profit organizations that are reaching out and trying to help the gig economy, the small businesses, the micro businesses, all the way up to the large enterprises, especially for critical infrastructure, and we saw a lot of attacks on critical infrastructure. And, you know, with some of the geopolitical pressures, we’re probably going to see more of that. So again, it’s all about layers, and really leaning into those resources, like Sterling Risk, like TD Bank, like Strategic Treasure, to find ways, where are the gaps, it’s all about finding where your vulnerabilities are. And plugging those gaps, there is no excuse for not having that technology expertise. If you need to get it it’s out there to be had and for you to seek. And again, we just advise clients to take that holistic view and go point by point in terms of what you already have. Maybe from a firewall perspective, software, hardware, cloud based, that’s all well and fine. But then there’s the human element that we talk about, and that human firewall that’s so important. I really can’t emphasize it enough that you could have all the bells and whistles in the background. And then something reaches someone’s desktop, and they click a malicious link and unleash, you know, malware into the system. Perhaps there’s something to fall back on in terms of those not allowing fraudsters, criminals to laterally move in the systems. But it’s really that upfront. And for folks to know, especially if they’re in the finance function. We know that Accounts Payable managers are targeted quite a bit because they have access to paying vendors, changing instructions, things like that.  So that’s where we see business email compromise has really impacted them quite a bit. What’s encouraging is that in a recent Treasury Fraud and Control Survey, and there are about 230 respondents in the one that strategic treasure just did with bottom line is that 84%, well they think the threat level of fraud has increased or significantly increased. So that’s alarming, right? But the good news is that approximately 60% believe that they’re better positioned to deal with that.  We want that number to be higher. And through podcasts like this, and webinars that we do that our clients seek all the time, we’re trying to get that message across, and ask them to lean on us and other partners. And of course, we’re always vetting new partners to work with as well. And that due diligence and making sure we’re providing products that are very secure, that can be relied upon. It is very important to TD Bank.


Craig Jeffery  23:21

Adrian, some really, really good points i i do like your your phrase, the human firewall and how the human firewall has to get get upgraded, which is ties into what when Michael said about getting training, getting get a stay current. It’s not a once every couple of years, it’s at least every year and leading firms are making sure their staffs are getting updated more regularly. I did have one question before I jump back over to Josh and Michael, you talked about multi extortion. I think I know what you mean. But I just wanted to be clear, what you’re referring to is multi extortion versus single extortion. Can you explain what you meant by that?


Adrienne Terpak  23:59

So single extortion is where the fraudster will encrypt the data on your servers.


Craig Jeffery  24:06

Like ransomware, they just encrypt it, okay.


Adrienne Terpak  24:09

Right.  Not allowing you to access that information. And if you don’t have that backed up, you need to pay that ransom to get it back. And in some cases, you won’t necessarily get it back or you might not get it all back, or they may have been able to exfiltrate that data. And that’s where double extortion comes into play. So exfiltrating that data and then basically telling the company that they will expose this data which of course they can sell on the dark web and we see it all the time. And sometimes you may not see it right away. So if your debit card has been compromised through some mass breach of security, credit card, other information, whether it’s your name, your email address, etc. it may be one or two years until you see that being exposed through the dark web.  People are buying that they’re packaging that information. And they’re buying that information. Right. So, again, that double extortion, that reputational risk of having that data exposed and potentially sold on the dark web is that next level of intimidation that we have to watch out for, we had companies that were doing a great job of backing up their data and saying, No, I’m not going to pay the ransom, because I do have access to my information. And so we don’t need you to unencrypted our files. But now they’re saying if they can exfiltrate that data and sell it, that’s the next way of them getting some sort of ransom payment. And then there’s also these distributed sort of DDoS attacks, the denial of service, where they can even hound customers, and other stakeholders of those victim organizations. So you really don’t want that to happen as another layer. And that’s why I talk about the multi level feature there.


Craig Jeffery  25:57

Sure, yeah, we encrypt your data, we also stole it, we’re gonna sell it or expose it if you don’t pay.  That’s that’s certainly amping up the amount of ransom that people have to pay, let alone all of the expenses to recover and reestablish a control of your system. So great comments, but you certainly didn’t make us think that things would get a lot better, other than the fact that, you know, working together to provide a better front, there is at least a bright spot there on the crime front.  I want to make sure that Josh and Michael have anything else to add on the preparation and response side.


Michael Fleischer  26:32

Adrian’s 100%, right. This really is a sort of become a cat and mouse game is what it is.  The fraudsters, you know, get to a certain level. And then and now there’s reactions and, and the business environment, you know, creates the responses and protects themselves. And now, it just goes up and up back and forth. But the good thing is that as you know, as Adrienne outlined your survey and 60%, people said that they they felt that they were better prepared than they were.  Well, that’s great, that more feel protected than then they were in the past. The key as we’re outlining, you know, part of the reason why we’ve partnered with both of your organizations is that is that upfront, focus on managing your risk, managing your exposures, recognizing what those are prior to, obviously, you know, being breached, hacked, etcetera, upping that game, so that you’re even further protecting your yourselves your organization, your data. And, you know, as Josh outlined, and an Adrian as well, the really the most important thing is still the human element.  The employees need to be trained, need to be coached advised, etc. And really, the most important thing is, if something seems questionable, fishy, whatever, make a phone call, you know, instead of just responding to that request to change to this vendor or to change, you know, our new wiring instructions, etc, pick up that phone, make a phone call, say hey, by the way, I’m getting this email, and this is what I’m being asked to do. And and again, unfortunately, that’s become worse as a result of the remote environment. Because a lot of people aren’t in the office. So they can walk down the hall and say, Hey, did you ask me to do this? No, you know, and, you know, by, by everybody working remotely, it makes it, it makes it that much more vulnerable, you know, for these type of attacks. And that’s what’s really driving that. And the more people focus on it, and the more companies manage risk and train their employees, and everybody recognizes the issues, the better off we’re going to be, and there is that silver lining, you know, it’s, it’s no different than anything else, it’s really a matter of education and training and management is going to know is going to enable you to be more successful and continue to operate your business.


Josh Weisberg  28:59

I think that’s right. And I would add one more quick thing. Adrian mentioned resources, there are tremendous resources that are on this podcast right now. And they are tremendous resources that TD Bank and Sterling Risk and other thought leaders in this space can absolutely provide.  One thing to absolutely keep in mind, if you have cyber insurance, or if you’re in the market and you purchase cyber insurance, your cyber insurers on the front end, they will vet you, as we talked about before, they’re gonna make sure you have the right controls in place, they’ll help you become more secure after you purchase the product. Virtually every cyber underwriter in the space offers training, offers guidance throughout the policy term to help you make your business more secure. And so when you’re talking about small businesses or not for profit organizations, as Adrienne mentioned before, with finite financial resources to deploy towards this problem, that’s a great way to make yourself more secure and more often than not, every single one of those services that your cyber insurance provides, it’s a ala carte, and it’s free.  They do this because they don’t want pay claims. And so they deploy a tremendous amount of training and expertise in this space. And because they see the claims, they know how to react to the threat. And it’s a constantly evolving regimen of different preventative measures that they can give you that are going to impact the bottom line, and are going to hopefully put you in a position where you can prevent claims. And that’s obviously a very, very good thing.


Craig Jeffery  30:25

Adrian, as you bring this home, I’d love to hear your final thoughts, what are some things we need to look at or act upon?


Adrienne Terpak  30:32

Yeah, and then of course, the theme for this conversation is about protecting the flow of your business. And we see that all the time. The last thing that we want is for our clients to feel sort of paralyzed right, by all these types of fraud.  We’re here to help you work through that. And even as something as simple as managing your account where you have both payables and receivables, as an example, we recommend, you know, certain bank products like positive pay for checks. And it’s really all about keeping the flow of business because if you have those tools in place, there’s less disruption to your operations to your business. And we can monitor for anything anomalous. But there’s, you know, those protections in the background that will keep the flow of business going, we still need to address the underlying issue and the vulnerability. But that’s just another example. And just wanted to hone in on that particular element of this discussion. So a few things is kind of these ABCs, if you will, I want to make it really simple. And I have three for each of the ABC.  Assess your vulnerabilities.  The attack surfaces have widened, we talked about this in another episode as well, there’s a lot of interdependency between because we have more devices that are connected, you can call it the Internet of Things, you can call it, whatever you’d like. But at the end of the day, we’re more a more digital environment, right. And we have a lot more connected devices. So assess those vulnerabilities.  And act on deficiencies. If you determine that you have a deficiency and you’re not acting upon it to remediate it. Well, that’s something that will continue to cause you grief as you move forward. Awareness at every level.  Risk managers throughout the organization, it’s really important to sort of hone in on the fact that we’re all risk managers, we all need to be aware, whether it’s training and reinforcing that training is very important. Bolster defenses at every layer of security. So it’s not just technology, think human, make sure you’ve got that human element.  Lean on your bank partners. So advice, training products and services, we’re not just selling fraud prevention products to make money. We are here to protect the flow of your business, to protect your business overall. And to make sure that we can help your business grow.  A breach plan, an incident response plan, absolutely have those but don’t let them collect dust on your desk.  Shouldn’t even have probably a paper copy and digital copy. Make sure that you’re going through that plan with all of the stakeholders. First, the collective defense I talked about that earlier, never rely on a single layer of defense or only one trusted partner. There are a lot of partners in this industry that can help you get there.  Consult the experts, again, the bankers, the insurers, the consulting firms, cybersecurity firms, accountants, and even those info sharing and analysis. There’s resources out there that are non for profit that can help. And that culture that I mentioned before.  Fostering a risk management culture, security first mindset. So the mindset is really important, and practice those cyber drills. And I have one additional one, which is the zero trust model. So I skipped all the way to z, but it’s never trust in always verify. So it’s unfortunate that we have to do that. But that’s the world that we’re living in. And it’s just better to not trust necessarily upfront, you’ve got to verify and then the trust can can move on from there.


Craig Jeffery  34:13

Excellent. Thank you so much, Adrian, Josh, and Michael really appreciated your comments.


Announcer  34:22

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasure on LinkedIn. Just search for Strategic Treasure. This podcast is provided for informational purposes only, and statements made by Strategic Sreasure LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark

Related Resources

2021 Treasury Perspectives Survey Results Report

2021 Treasury Perspectives Survey Report

This annual study polls treasury and finance professionals on their views regarding the economy, technology, industry innovation, and regulation to better understand top challenges and opportunities in the marketplace. Download the results report today for the latest insights in treasury!

Episode 211 - Treasury Update Podcast

Synthetic Identities and a CISO View: A Series on Cyber Security
A few years ago, most of our business was done in person, and your personal identity was showing up with your face and signature. As we move to a remote, digital work environment, creating Synthetic Identities is becoming easier and more common. In this podcast, Craig Jeffery of Strategic Treasurer talks with Jonathan Doskocil of TD Bank and Tyler Farrar of Exabeam on the importance of identity verification, education, and detecting compromised credentials.