Yosra Jarraya: When payments must go on

Why are cyber attacks a different kind of risk compared to COVID or an electricity outage?

Most large companies are used to managing many risks. Teams have learned to work from home after COVID, or to switch operations to another part of the world, whether the Indian, Singapore or US treasury team, when an electricity outage hits, like the one Spain saw recently. A cyber attack is different. The moment it starts, the scope is almost immediately the whole international company. You cannot rely on working from home, or on a colleague on another continent, because nobody has access to any software whatsoever. Recent months tell the story. Jaguar was down for two months with two billion pounds of UK state support, Marks & Spencer lost seven weeks and £300 million of EBITDA, the EU Commission was hit, and in Luxembourg LuxTrust went down for 24 hours.

What is the difference between a business continuity plan and an executable resilience strategy?

Most companies feel they have checked the box because they have a business continuity plan. A BCP is, put simply, a PDF document explaining what is important and what to do, and it usually says wait for IT to restore the system. That does not work. What IT teams rarely admit, but real cases like Marks & Spencer and Jaguar prove, is that bringing back even the most critical systems takes more than three weeks. A continuity plan that does not keep your business running is not enough. You need a real substitute for your treasury management system and your ERP. The more your processes rely on digitalised solutions, the more exposed you are. A just-in-case simple and robust business application, where processes & vital data live and teams can train, becomes essential.

What are the critical processes a treasurer should protect?

We have worked with companies like Sanofi, Elior and Eiffage, and the lesson is always the same: start with treasury. Treasury is the oxygen of the company. Without the ability to pay, collect and manage cash, nothing else functions, whatever your business. That message must reach the highest level of the organisation. From there, priorities depend on the model. If you are cash rich but need to deliver life-saving products fast, paying critical suppliers comes first. For most companies, paying employees on time is non-negotiable, sometimes every week. For distribution-led businesses with thinner reserves, cash collection is the urgent question, since they cannot afford to lose visibility on incoming flows or bank account balances. The risk is no longer if a cyber attack will come, but when.

“The risk is no longer if a cyber attack will come, but when. Take back control and be AlwaysReady. »