When speaking on encryption and surveillance at Kenyon College in April 2016, James Comey, then the director of the FBI, divulged that he’d placed a piece of tape over the camera on his personal computer.
And after Facebook Chairman & CEO Mark Zuckerberg posted a photo that showed his work computer in June 2016, thousands of people noticed that he had tape over his MacBook camera and microphone.
Why would the director of the FBI and the founder of Facebook resort to placing tape over the cameras and microphones at their personal workstations?
The answer is RATs — Remote Access Trojans.
Almost everyone in business today is familiar with remote desktop applications such as LogMeIn, TeamViewer, GoToMeeting, WebEx, and Bomgar. These enterprise tools provide remote access to a system and are useful and efficient ways to cut operating costs, ensure fast response time with help desks, or just get that much-needed document from your workplace when you are out of the office.
RATs are a malicious variant of these remote access tools — custom-created software the user can execute to control any system without the victim’s knowledge.
One of the first RATs was made public in 1999. RATs have become more sophisticated through obfuscation in the years since first created. Today, most of the popular RATs are capable of performing keylogging, screen and camera capture, file access, code execution, registry management, password sniffing, and more. Through persistence, an attacker can run malware, exfiltrate data from the victim, and sell the data or use it to extort the victims at a later date.
RATs can be installed on a system through phishing links, email attachments, ransomware, infected USB drives, and more. They are custom-built to evade antivirus (AV) programs, intrusion detection, and prevention products (IDS/IPS) and are sold relatively cheaply on clearnet hacking forums and the dark web.
RATs are near the top in the hierarchy of cybercrime. There are dozens of techniques cybercriminals use to keep their RATs from being detected. RATS can be “binded,” or merged, into a legitimate program using very basic tools. The most popular are Adobe Flash, Google Chrome installers, and any web-based or local installer trusted by the workstation or domain. This is what makes a RAT unknown and undetectable to AV vendors.
The RAT’s role, like any creative virus, is to be persistent even after detection. Ten minutes of a target being “ratted” is more than enough time to upload multiple backdoors into a network that can stay persistent long after the RAT is discovered and eradicated, allowing future attacks. Ten minutes is also enough time to gain sufficient data to use in ransoming, extorting, or threatening an individual or business. The details of extortion techniques are changing on a monthly basis.
There will never be a product that fully protects any person or organization from RATs, viruses, malware, exploits, zero-day vulnerabilities, or other cyber threats. At this stage, the best prevention against RATs is for your organization to follow these best practices recommended by security researchers, engineers, and coders:
- Do not save unencrypted private information on a home or organization workstation. Encrypt your files with fully audited open source VeraCrypt and AXCrypt (if you access remote). These provide multiple features and 99.99 percent chance of no government backdoors with access to the encryption key.
- Train everyone with access to your network on the importance of avoiding unsafe websites, particularly sites that are ad-driven and full of pop-ups, as these might contain a drive-by RAT waiting to be deployed.
- Ensure your organization performs daily backups with minimum 256-bit AES encryption and redundant data eliminated (de-duplicated). These backups should be replicated off-site.
- Watch your firewall, IDS/IPS logs for unusually large amounts of data being offloaded out. That is one of the biggest clues that your network has been penetrated. Basic network security should have egress filtering already in place with quality of service (QoS) controls to alert of such patterns.
- Use multi-factor authentication and print out the backup codes when you are offsite from your network. This is to prevent account takeovers if you have been compromised.
- Use your AV, IDS/IPS appliances and software and review the reports, especially those sent on the weekend. Most cybercrimes occur starting after hours on Friday afternoon, so customize your alerts to be a little more detailed during those times.
Also consider covering webcams and microphones when they’re not in use. If a RAT is used to activate them, the cybercriminals won’t be able to glean useful information.
Cybercrime has been unleashing significant destruction. The sinister nature of daily exploits, leaks, and hacks is numbing even the most hardened security researchers, and it seems the end is not in sight. While emerging technologies might be helpful in the fight against RATs in the future, for now your best protection is to follow the best practices above and layer your cybersecurity controls so that if one fails, others can help protect your organization.
Source: The Non Profit Times
Author: Lisa Traina
A tectonic societal shift is happening right under our noses. You don’t need a seismometer to see it. If you’ve watched any recent entertainment awards show, it’s easy to see and hear.
“Oh,” one might say, “that’s just fallout from the Sony Pictures hack and the Harvey Weinstein implosion. Those people are all famous public figures. It couldn’t happen to me.”
It’s amazing that anyone who lived through the 2016 presidential election is still using email or Twitter. Regardless of your political leaning, that election taught us that emails and tweets follow the sender around like a hungry dog at feeding time. Unlike dogs (alas) emails, tweets and social media posts are essentially immortal. Someone sufficiently motivated to find them can do so.
The examples of improper comments later in this article have been reported by several public sources, and they’re included for effect. The quoted sections may or may not be accurate, but they illustrate the kinds of comments that people write in indelible media from time to time that come back to haunt them.
Perhaps the reader can recall other examples, closer to home. Early in my career as a lawyer, we used to communicate with international clients via telex. (Yes, that long ago.) I sent a number of telexes overseas, requesting settlement authority in a relatively small case, and kept receiving responses that questioned my analysis.
Then I noticed that the responses were addresses to “Mrs. Louis Castoria,” perhaps mistaking “Louis” for “Lois” or “Louise.” When I re-sent the same advice and typed my name as “Mr. Louis Castoria,” the reply came back, “We agree with your wise recommendation.”
If the reader is surprised by my relatively mild story, or by the more dramatic ones told in the excerpts from media reports, imagine the impact of sexist comments on conscientious jurors in a civil case.
In employment discrimination cases, “Me, too” evidence — examples of discriminatory or harassing comments made to or about employees other than the plaintiff — can be admitted into evidence. The California Supreme Court ruled in 2006 that the state’s fair employment and housing act was “not designed to rid the workplace of vulgarity. ” [Lyle v. Warner Brothers Television Productions (2006) 38 Cal.4th 264, 295.] Still, such evidence gets to the jury.
In Pantoja v. Anton [(2011) 198 Cal.App.4th 87], the California Court of Appeal sent a case back for retrial because the trial court had improperly excluded evidence of a supervisor’s use of the term “Mexicans” to refer to employees.
It may be easy to see why evidence of sexist or racist terms might be relevant in some types of employment-related cases. Could the same kind of evidence be relevant in professional liability cases?
Character doesn’t count
I’m not aware of a reported decision in which “Me, too” evidence has come before the jury in an errors and omissions (E&O) case. The basic question in most E&O cases is did the professional person (insurance broker, lawyer, accountant or acupuncturist, for example) act within the standard of care of the profession in the community where the services were rendered? The defendant’s character is not usually considered admissible, unless it goes to credibility. A misogynist jerk can perform a perfectly correct appendectomy, just as a paragon of virtue can perform a negligent one.
Lawyers try to keep potentially damaging evidence away from the jury’s eyes by asking the trial judge to forbid the other side from introducing or mentioning such evidence. The judge is the filter, keeping out evidence based on whether it is “more prejudicial than probative,” or so likely to poison the jurors against a party that they may be unable to fairly decide a particular issue or the case.
It’s difficult to see offensive emails and tweets being material, or even relevant, in a typical E&O case. If a doctor leaves a sponge inside a patient during surgery, the fact that the doctor sent a distasteful email about a coworker’s appearance earlier that day adds nothing to the case. If the doctor is commenting, distractedly, about the coworker’s appearance during the surgery, that could be another story.
Emails on company network
There are plenty of good reasons to avoid writing odious emails in the workplace. The fear of an E&O lawsuit is probably low on that list. But if such messages are in the company’s network, they may see the light of day during litigation. The mere threat of them being made public could make a difference in whether a case settles at a small value or in the high six figures, as in one of these examples:
- Example No. 1: According to Vox.com (08/08/17), a leading high-tech company fired an employee who posted a controversial 10-page memo arguing for less emphasis on gender diversity in the workplace. The memo argues that the reason women are underrepresented in the tech industry has to do with “biological causes” between men and women, and criticizes the company for its ongoing diversity and inclusion initiatives, arguing that “gender gaps [do not always] imply sexism,” and declaring that “discriminating just to increase the representation of women in tech” is “unfair, divisive, and bad for business.”
- Example No. 2: The Associated Press reported on Feb. 27, 2018, that an eastern Iowa police chief was fired by the Anamosa, Iowa, City Council for having made sexist comments about a female officer in emails, and retaliated against her after she complained about his mistreatment. One email “joke” complained about “bras not showing enough of women’s ” The officer settled her suit against the city for $750,000.
The world is changing for the better. We are being called to exercise a higher standard of respect for one another. Being risk-averse is one good reason to apply the golden rule to workplace interactions. But there’s a far better one: It’s the right thing to do.
Author: Louie Castoria
Claims magazine, PropertyCasualty360.com and RMS recently participated in a Twitter chat (#PC360ClaimsTech) discussing the effect of technology on the insurance claims process. Insurance executives from multiple companies shared their insights on what’s working and how it affects claims and communication with policyholders.
“Companies are looking to reduce costs by allowing customers to self-serve and use digital tools to inspect property without having to send out an adjuster,” shared Kristin Marr, president of Valen Analytics.
In addition, “many of the leading companies are leveraging digitalization to improve processes, quality and outcomes,” according to Chris Tidball, vice president of sales and claims transformation strategy for EXL Group.
Related: InsurTech & the latest trends in core systems purchasing
Some insurers are concerned that implementing new technology could preclude human involvement with the claims process, leading to less satisfied customers. However, as Rebecca Morgan, senior director of product management for Mitchell’s Workers’ Compensation Solutions pointed out, “If we look at Amazon as an example, we have very little human interaction with Amazon employees, yet Amazon customers continue to be incredibly loyal because of the excellent overall customer experience. The same is true for insurance.”
Technology & disasters
A series of devastating hurricanes last fall allowed insurers to see first-hand the impact InsurTech can have on the claims process. “Technology is making the interactions more accurate, timely and faster,” said John Sarich, vice president of strategy for VUE Software.
RMS COO John O’Connell agreed, tweeting, “Claims processors with event response capability undoubtedly reacted fast to claims based on their real-time analytics.”
Neeraj Sibal, assistant vice president of EXL Analytics, recognizes the value InsurTech brings to the claims process and how it exceeded conventional boundaries as mobile apps allowed for the easy transmission of information. “A photo share, a video chat with an adjuster or reporting through chatbots are changing the customer experience. Early adopters of these technologies are leveraging reduced cycle times and creating happier and more satisfied customers.”
“In addition to creating a more seamless, hassle-free process, InsurTech can also help members become smarter about risk and prevent future losses,” added Derek Zahn, vice president of claims for the western division of PURE Insurance.
InsurTech is also changing the first notice of loss for policyholders and insurers. “Historically, FNOL has been very manual,” tweeted Jonathan Silverman, director, worldwide insurance at Microsoft. “It makes sense to target it as an area for improvement. Today, we can automate the identification of an accident (for example) using manufacturer’s data and the alerts when there is an impact or an airbag deployment.”
Technology is also changing the interaction between insurers and policyholders. “The use of InsurTech is key to reducing the friction points that occur at every level, including with providers,” shared Don Lipsy, managed care specialty products manager with Sedgwick.
Farhana Alarakhiya, vice president of RMS concurred, tweeting, “There are many ways – delivery of analytics to the point of impact so smarter decisions can be made that are of benefit to both the customer and insurer.”
The experts agreed that InsurTech is a positive addition to the insurance claims process for carriers and policyholders. PC360 will continue the conversation at #PC360ClaimsTech.
Author: Patricia L. Harman
A first question of course is who should be laid off. While this is largely a management decision based on which positions are the most important to future financial stability, an important HR component is making sure that the layoffs don’t put the organization at risk. Check the personnel handbook for policies that address layoff and/or severance pay, and check to see whether employees marked for layoff are on any kind of protected leave (such as family or medical leave, workers’ compensation leave, or pregnancy disability leave). If possible, speak with an HR or labor law attorney about employees on protected leave.
In most community nonprofits there aren’t, for example, 15 people holding the same position of Social Worker I, with an intention to lay off 3 of these employees. In such an instance, though, it will be important to clarify whether the layoffs are being made based on seniority, on merit, or on a combination of factors. Most organizations would prefer to lay off the least meritorious individuals with the least seniority. The nonprofit should check past evaluations and documentation of performance in order to avoid discrimination claims. For most community nonprofits, however, it will be clear that a position is being eliminated, rather than an individual being selected for poor performance. In all cases, document the whys of each decision you make, perhaps with business necessity as the main theme and with merit and seniority as considerations.
A few specific tips:
- Determine whether your organization is subject to either federal or state Worker Adjustment and Retraining Notification (WARN) regulations. Generally applicable if you have 100 or more employees, and for layoffs of 50 or more employees or 1/3 of your workforce, WARN requires 60-day layoff notices and other steps.
- It’s generally better to do a deeper layoff once than to lay off a few people at a time in dribs and drabs: the staff who remain need to feel confident that they will stay on their jobs.
- Most professionals recommend that individuals finish the day or the week after hearing about being laid off, but not longer than that. It’s usually difficult for the laid off employee to feel positive about work, and others may feel awkward around them. (See Layoff Stories from Blue Avocado Readers for examples.) But it will be key to discuss how the employee’s clients or projects will be managed after his or her departure.
- Letting people know on a Friday will give them the weekend to absorb the news.
- Have a FAQ (frequently asked questions) sheet for people who will be giving layoff news, such as what references can be given, how long the employee will have access to his organizational email account, how will her clients be notified of a change in organizational contact, and so forth.
- Give layoff information face-to-face. Don’t tell the employee how hard this is on you. Give the employee a chance to ask questions. Let them know how long their insurance benefits will continue, that they will be receiving the required COBRA (option to continue their health insurance), and unemployment insurance information. Tell them what other support the organization can provide them (such as employment references, severence pay and so on). Employees should also receive most of this information in a formal letter. (We’ve posted a sample layoff letter as a guide.)
- After layoffs have been announced, managers may be tempted to retreat to their offices and look buried in work, but encourage them to circulate with the staff, ask and answer questions, and demonstrate confidence.
Temporary layoffs, furloughs, and temporary shutdowns
Nonprofits tend to consider only permanent layoffs. Sometimes short-term layoffs can be effective ways to save jobs while protecting the organization’s financial status. For example, there may be an unexpected two-month gap between the completion of one government contract and its renewal. In the past, your organization may have been able to keep paying the individuals on that contract during the gap, but this time you may need to lay them off, letting them know that if the renewal comes through they may be called back within several weeks. However, check your state laws to see if you are required to pay out all accrued vacation if you close down for a week or more. We know of at least one nonprofit charged with violating such a requirement that had to pay substantial fines and penalties before it reopened its doors two weeks later.
A furlough is specified unpaid leave, such as workweeks reduced by one day, or months reduced by two full days each. Typically employees request the days they would like to use for their furloughs. In effect, furloughs change full-time positions into slightly part-time positions for non-exempt staff. Some furlough tips:
- Exempt employees cannot be paid for less than a full week if they have worked any day that week (remember that obscure definition of the workweek in your personnel handbook?), so furloughs don’t reduce payroll costs for exempt staff. What you can do, however, if you are furloughing exempt staff for one day per week, is to reduce their full-time salaries by 20%.
- Be clear whether employees will continue accruing vacation and receiving benefits at their full-time levels (typically yes), and whether an employee taking a furlough on a holiday will still be paid for the holiday (typically no).
- Keep in mind that some international staff on H1-B visas may need to work a certain number of hours a week to be eligible to work in the United States.
- Remind employees whose wages are being garnished or who have deductions for child support that these amounts may be affected.
Some nonprofits pick a slow week (perhaps Fourth of July week, school spring vacation, etc.) to close down. Closing for a full week allows the organization to save on both exempt and non-exempt payroll (remind exempt employees that they cannot do any work that week — even checking their work email — lest they trigger a legal requirement to pay them for the full week). Some employees may find this a relatively easy cut to accept, but for others, even a one-week closure may result in a loss of pay that is untenable. Give employees the option of using their accrued vacation pay during the shutdown or taking the week off as unpaid leave, otherwise you may be required to pay out all accrued but unused vacation.
Finally, remember that many, many nonprofits (and for-profits) are feeling the pinch. Reach out to contacts in other nonprofits to see how they’re handling things, and to identify local resources for people losing their jobs. And post a Comment below to let Blue Avocado readers know your ideas and tips.
Source: Blue Avocado
Author: Pamela Fyfe
Recently, I had the chance to spend some time at Walt Disney World in Orlando, Florida, when I attended the NAMIC conference in February. One session included a presentation by Barry Dillard, director of claims for Walt Disney World, where he shared the company’s approach to handling a wide variety of claims.
I sat down with their vice president of risk management to learn about some of the strategies they employ, and I had the opportunity to tour Walt Disney World itself to peek behind the curtain and see how this massive theme park creates the magic for its guests and cast members, while keeping everyone safe.
Believe it or not, the Walt Disney World Resort covers 40 square miles and is twice the size of Manhattan. Within its confines, this world-class attraction employs 75,000 cast members, each of whom play a critical role in spreading the Disney magic. Their emphasis on safety is both taught and caught, which is especially important when serving the millions of guests who visit the Disney attractions around the world.
The Walt Disney Company is extremely proactive in their risk management strategies — it truly is everyone’s responsibility — not just the realm of those at the corporate level. As is often the case in life, the simplest things can make the biggest difference. Merely walking the parks, hotels, shops and restaurants can yield valuable information, allowing cast members to identify small issues before they become larger ones. Even in one of the most magical places on earth – reality tends to intrude.
Unexpected risks arise every day and training plays a key role in mitigating them. Hackers are constantly devising new ways to access company information or hold it for ransom. The use of ransomware is expected to increase 350% this year, so being vigilant and backing up data has never been more important.
The number of shooting incidents in businesses and other settings is increasing at an alarming rate. Knowing what to look for and how to respond in these situations can literally be the difference between life and death.
For better or worse, new risks are changing our behavior — how observant we are in open spaces of our surroundings, what we post on social media, where and how we protect our personal information, what we open online and how we train our staffs. It really is the smallest things that can make the biggest difference in keeping people safe.
Author: Patricia L. Harman
Although weather is often unpredictable and always uncontrollable, businesses can go a long way toward mitigating damage with careful preparation. According to a 2018 report by the U.S. Chamber of Commerce and MetLife, however, more than one-third of small businesses have no emergency plans in place for natural disasters or severe weather, and while larger businesses often have business continuity and disaster recovery plans, many of them do not account specifically for weather-related events.
To ensure your organization is prepared, planning for a natural disaster should include the following steps:
- Create internal emergency-response teams and identify the roles of everyone on the team. Specifically highlighting what their roles are during weather-related emergencies will ensure each team member knows what to focus on as the event unfolds. Team members with the right skills and knowledge can then address their areas of expertise, knowing that other issues are covered by people with the appropriate skillset.
- Train key employees on technology to mobilize crisis-response teams, alert staff, and suppliers, and account for personnel safety. This preparation enables team members to move quickly when making decisions and share important information with all audiences, no matter how narrow or broad, rather than trying to learn and understand new tools in the midst of managing an event.
- Implement human resources policies for employee notification, remote work and accessibility for people with disabilities for both large and small events. In most cases, basic policies and procedures provide all of the necessary information to keep individuals safe and secure; however, some events are more complex and require giving employees specific instructions in advance.
- Create and distribute shelter-in-place, evacuation and medical emergency procedures informing employees of exactly how to respond or where to go. In many types of severe weather events, there is very little time to make decisions, so having predefined meet-up locations and procedures enables people to respond quickly and confidently.
- Keep a current list of contact information for all employees, response-team personnel, utility companies, Federal Emergency Management Agency (FEMA) officials, the local Red Cross chapter and local first-responder organizations, ensuring the right people are acting on the information that they have the skills and authority to manage.
- Build and maintain off-site support for business continuity so information channels remain open and functioning at all times, such as through a software-as-a-service (SaaS) solution that is not tied to specific hardware or a physical location that could be impacted.
Ensuring Effective Communication
Once these initial steps are complete, organizations should focus on preparing for effective communications before, during and after severe weather events to protect their operational, financial and strategic assets.
Evaluate emergency mass notification systems. When it comes to mitigating the effects of weather events on businesses, employees, customers and suppliers, speed is imperative. This should include the use of an emergency mass notification system (EMNS) to warn and update employees and suppliers about business closings and emergency measures. Some systems can automatically notify employees in advance of severe weather events as soon as the National Weather Service issues a bulletin.
Ensure EMNS can reach users through multiple channels. Effective mass notification systems use multiple methods of communication, such as phone calls, instant messages, desktop alerts, social media posts, mobile apps, SMS and emails. Using different methods of notification, or “multimodal alerting,” helps to ensure that messages can be delivered quickly without human intervention and mitigate single points of failure. Because technologies and methods of communication evolve over time, make sure to choose a vendor that stays up-to-date on how to use all means of communication.
Ensure two-way communications. Your organization’s emergency communication system should be capable of two-way communications to help ensure the safety of personnel and continuity of operations. Decision-makers within organizations need a system that not only can deliver real-time, mission-critical notifications in any message format required, but provide a way for message recipients to respond as well. With two-way notification capability, IT and security administrators can communicate with employees to determine if they are safe and report the results so the emergency response team can keep a running tally of who still needs to be contacted. This is critical during severe weather events when employees scattered across multiple locations may be impacted and must be accounted for.
Ensure geo-targeting based on severe weather track. The ability to target groups of employees, customers or suppliers in specific geographic areas is important, especially in weather-related emergencies where the severity of warnings or expected impact may differ depending on the area. The most effective systems can geographically target only those in the path of the weather event, and can automatically plot contact addresses on a map, allowing administrators to choose specific areas they want included or excluded from an alert.
Conduct periodic testing. Once the policies, procedures and communications technologies are set, they should be tested periodically with different drills for each type of weather event. Then, after the next weather event has taken place, set aside time to assess how effective the response was, and adapt and update your plan accordingly.
Author: Aaron Charlesworth
This is undoubtedly a prosperous period for the world economy, but the recent volatility in global stock markets is an indicator that times may be changing. The World Bank has forecast global economic growth of 3.1% for 2018, which will obviously benefit businesses.
At the same time, an improving business environment brings with it the prospects of wage inflation, rising interest rates, and the end of cheap money. A couple of weeks ago, U.S. stocks reacted dramatically to figures that showed U.S. wages rising faster than expected. This clearly demonstrated how jittery the markets are about the end of a loose monetary policy.
In addition to these macroeconomic developments, other significant changes are afoot. The established political order is being questioned in the United States and Europe, tensions are rising again in the Middle East, technology is transforming the way we live and work, and the United States has overhauled corporate taxation. Change brings opportunities, but it also presents risks.
5 key risks
So, what are the five key risks that should be at the forefront of risk managers’, CFOs’ and treasurers’ radars in 2018? And what are best practices for managing them?
Cybercrime is an ever-growing and ever-present threat. It is a particular concern for corporate treasurers since the cash flows they’re responsible for are a key interest for most cybercriminals. In 2016, research by the Association for Financial Professionals found that almost three-quarters (74%) of the organizations that it had surveyed had been the target of attempted or actual payments fraud, including check fraud and unauthorized transfers of funds associated with business email compromise attacks. Almost a third (29%) of those that had been targeted by fraudsters had lost $250,000 or more.
Companies that don’t have the right systems in place to detect unusual or suspicious behavior may potentially end up exposing their organization to serious reputational damage and significant financial loss. Yet the Hiscox Cyber Readiness Report 2017 found that more than half (53%) of surveyed companies in the United States, U.K., and Germany were ill-prepared to deal with an attack.
Cybercrime cost the global economy over $450 billion in 2016. Risk managers, CFOs, and treasurers must talk to their technology vendors to make sure they are investing in the most effective security capabilities for their systems.
2. Rising interest rates and the end of cheap cash
For years, large companies have been able to borrow money at extremely low rates. In the seven years that followed the financial crisis, U.S. businesses were typically borrowing from banks at interest rates in the region of 3.25%, while the corporate borrowing rate in the U.K. dipped as low as 2.65% in 2009.
Even as recently as December 2017, the average interest rate in the Eurozone on a fixed bank loan of more than €1 million for a period of 10 years or more was 1.75%, according to the European Central Bank (ECB).
The clock is ticking on cheap money
In the bond markets, borrowing costs plunged even lower over the past decade. Some companies, including French pharmaceutical maker Sanofi and German consumer goods producer Henkel, even managed to issue negative-yielding debt.
However, the clock is now ticking on cheap money. The U.S. Federal Reserve has hiked interest rates five times since December 2015. Last November, the Bank of England announced its first hike in more than a decade.
The ECB is expected to follow suit, and the Bank of Japan is cutting back on its bond-buying program, suggesting that its rates, too, will rise in due course. Businesses should expect their funding costs to increase over the coming months and years. Highly leveraged companies can expect to feel the biggest squeeze.
To avoid unwanted questions from the board about the impact of the rising cost of cash, global risk managers, treasurers, and CFOs should look to refinance debt early and for an extended period in order to reduce their exposure to rising funding costs. They can also mitigate the risk of higher borrowing costs through effective cash management, by better utilizing global cash surplus balances to reduce short-term borrowing, and through due diligence on mergers and acquisitions (M&A) to make sure their company doesn’t overpay for a deal that it later regrets.
3. U.S. tax reform
As of the first of this year, U.S. corporate taxes were slashed from 35% to 21%. What’s more, the reform package includes a one-off repatriation tax on corporate earnings held overseas — 15.5% for liquid assets and 8 percent for illiquid assets — that is intended to encourage U.S. companies to bring home cash they previously stashed abroad.
On the face of it, the tax reform seems beneficial for foreign companies doing business in the United States, since their subsidiaries here will pay less tax. Yet some of the rules, including a base erosion and anti-abuse tax (BEAT) and a cap on the deductibility of interest, present challenges for some multinationals that move money back and forth across the U.S. border. CFOs and treasurers need visibility into their organization’s cash flows to and from the United States, and they should review its strategy for intercompany loans.
Although the United Kingdom is set to leave the EU on March 29, 2019, there will almost certainly be a two-year transition period to smooth its departure. During this transition, the U.K. will have to abide by EU rules in the same way that it does today. The longer-term implications of the split are not yet clear, though, since a trade deal has yet to be thrashed out.
One area to keep an eye on In the past, U.K. regulators have had a great deal of influence over the EU’s financial services regulations. Going forward, there could be a divergence between U.K. and European banking rules — for example, in terms of how banks adopt the Basel III capital and liquidity standards.
According to PwC, the uncertainty associated with Brexit poses a number of specific challenges for treasurers, including foreign exchange volatility, possible funding shortages, and increased counterparty risk if companies have to suddenly develop relationships with unfamiliar financial institutions. The firm suggests that organizations put in place processes and systems which enable them to readily access their cash, monitor their treasury risks, adapt their financing strategies to changing markets, and manage their relationships with financial institutions.
5. Economic Shock
So far, the volatility that we’ve seen in the equity markets in 2018, can be better described as a correction than as a crash. Nevertheless, a catastrophe may lie around the next corner. It is no coincidence that the fall in equity prices coincides with the rise in bond yields that has come about as a result of governments buying fewer bonds. In early February, the benchmark U.S. 10-year Treasury bond hit 2.85%, its highest point in four years, as investors pulled out of equities.
The current market conditions have two significant implications for corporate risk managers and treasurers: First, as the yields on government bonds rise, it will become harder for companies to issue bonds with historically low coupons. And second, should a major stock market crash occur, it could dent consumer sentiment and cause both people and businesses to cut back on their spending, which would, in turn, squeeze companies’ cash flow.
Difficult market conditions may also prompt banks and bond investors to refuse to fund to companies that are seen as undesirable credits. Of course, it’s virtually impossible for a company to buffer itself from the full impact of a major economic shock, but sound working capital management can play a vital role in helping an organization to survive even the toughest of times.
A state of constant flux will continue to plague the global economy. In this environment, successful businesses will be those that are able to respond quickly.
Risk managers, CFOs, and treasurers who can’t capitalize on the opportunities presented by changes in the economy will put their organizations at risk of falling behind. Fortunately, effective cash management is a great foundation for long-term business agility, especially when combined with powerful technological tools such as in-house banking capabilities, notional cash pooling, and payment fraud detection systems.
Ultimately, change does not have to be a threat to organizations. By harnessing technology, smart companies turn it into a great opportunity to profit and grow.
Author: Greg Person