Cybersecurity breaches have become the top financial threat facing companies, making it essential for CFOs to play a pivotal role in managing the risk. National and corporate cybersecurity is the greatest area of threat facing the world economy over the next ten years, according to the 2019 EY CEO Imperative Study.
One reason global business leaders place cyberattacks above all other threats is the huge financial risk associated with prevention and recovery. The average cost of an attack has been rising rapidly and now stands at $3.9 million, according to the annual Cost of a Data Breach Report by IBM and the Ponemon Institute.
The risk of an attack includes direct financial costs, heavy regulatory fines, and loss of trust amongst customers, employees, and suppliers. It can also be systemic, affecting multiple businesses and supply chains.
Guy Melamed, CPA, is CFO and COO at data security company Varonis. He said too many executives are blissfully unaware of their risk and surprised when they learn they have exposed data vulnerable to cyberattacks.
Varonis’s research of 785 organisations found that one out of every five server file folders is open and exposed to every employee in the organisation. More than half of organisations have more than 1,000 sensitive files open to everyone. Such exposure leaves the organisation vulnerable to regulatory fines for privacy violations. And it only takes one sensitive file getting into the wrong hands to potentially destroy an organisation.
CFOs should therefore be discussing cyber-risk exposure with their chief information officer (CIO) and chief information security officer (CISO) regularly, Melamed said.
Cecilia Locati, FCMA, CGMA, the founder and governance, risk, and compliance director at Internal Control Toolbox in the US, said the rise of cybersecurity concerns means CFOs now need to keep it high on their agenda at all times.
“Cyberattacks can have a devastating impact on the company’s finances and reputation, which is the CFO’s core responsibility,” she said. “CFOs don’t need to be cybersecurity experts, but they need to contribute to preventing cybersecurity risks where possible.”
Aligning business and security
Steve Vintz, the CFO of Tenable, a global cybersecurity company based in Maryland, went a step further. He encourages CFOs to keep cyber risk top of mind, making it part of their regular dialogue with the C-suite and other operating leaders as they assess the business’s overall health and risk posture.
CFOs must seek to understand their organisation’s cyber exposure gaps and associated financial risks to the business, its people, and its processes, he said. This will help them see where and to what extent they should apply security resources and investment. This requires CFOs to join forces with CEOs, CIOs, and CISOs to understand all the risks and potential costs.
“I cannot stress enough the importance of CFOs becoming active members of the security team, rather than just passive observers,” Vintz said. “Because of the financial risk, CFOs cannot simply leave it to IT and risk management professionals. They do need to understand the role of technology in addressing cyber threats. They also need to ensure their cybersecurity strategy aligns with the overall business strategy. In return, security professionals need to speak a language that executives understand.”
Regulation and breaches
Regulatory requirements on companies around cybersecurity have become much more stringent in many countries, and CFOs need to help their companies comply with and report on the risks. For example, the US Securities and Exchange Commission is now placing a strong emphasis on reporting cybersecurity risks in Form 10-K annual reports.
Also, the EU’s General Data Protection Regulation (GDPR) calls for heavy fines for substandard security practices. The GDPR requires companies to disclose breaches, once discovered, within 72 hours, which is a short time to assess the potential fallout.
So, if a breach occurs, CFOs need to work closely with legal, IT, and security teams to understand the extent of the damage for reporting and disclosure purposes.
Locati said that in a breach, CFOs should immediately work to contain the damage. They should also move to plug any gaps in the finance department’s measures and controls to prevent future attacks.
CFOs need to be realistic about their role in managing cyber-risks, as they are not likely to take the time to become certified security professionals. But their risk management skills are essential, as they have the training and the expertise to quantify the financial risks and ensure the company is taking proactive steps to limit them.
They are also in a perfect position to ask technical experts the right questions to ensure the organisation is meeting regulatory and privacy requirements.
Melamed said that many executives are unaware of the extent of their organisations’ risk. “They make assumptions about their security instead of meeting their IT and security teams and asking tough questions such as, ‘How do we know important data is where it is? How quickly would we know if someone started deleting it?’”
For example, if a CFO doesn’t know who has access to their financial statement folder, Melamed said, and “whether those confidential documents are open to everyone in the company, which is way too often, they should start that conversation with their security team today”.
Role of management accountants
All finance professionals need to be involved in managing cybersecurity risk — not just the CFO.
Locati said management accountants should understand that protecting the company against cyberattacks is not solely the IT department’s responsibility. A state of heightened alert, along with ongoing training and preparation to identify common types of attacks, is essential throughout the finance function.
“The best defensive strategies involve all the departments of the company,” Locati said. “Finance professionals have a key role in establishing and operating internal controls around areas that attacks often impact, such as payment processing.”
Locati said financial professionals should work closely with their IT security department or cybersecurity experts to identify possible cyberattack scenarios and assess and manage the risks.
“A chain is only as strong as its weakest link, and hackers will always try to identify the weakest link,” she said. “This is especially true when social engineering techniques are employed and different people in the organisation are targeted to acquire information or influence behaviours.”
— Tim Cooper is a freelance writer based in the UK. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.