There's no question that cybersecurity risks should be top of mind for any organisation. Cybersecurity failure is expected to be one of the critical threats the world will be facing in the next two years, according to the World Economic Forum 2022 Global Risks Report. Cybersecurity threats "are outpacing societies' ability to effectively prevent or respond to them", according to the report. The WEF's Global Security Outlook 2022 found that "only 19% of cyber leaders feel confident that their organisations are cyber resilient."
The question, then, is how finance professionals can use their knowledge and skills to advance efforts to prevent and mitigate cyberthreats within their companies.
"It's important not to underestimate how important the role of finance is," said Casey O'Brien, director of cybersecurity at S-RM in London. "Finance professionals, who are analytic and experienced in critical thinking, are invaluable to addressing cyber risk." Unfortunately, many outside the department may not be aware of the contributions that finance can make, according to O'Brien.
Here are five ways that finance teams can drive the effort to prevent and mitigate cyber risk.
Follow the money.
"Financial assets are the crown jewels of the organisation," O'Brien said, and cyberattacks are frequently financially motivated.
"But you need to understand what the assets are in order to secure them," he said. A Gartner report recommended identifying key financial data assets and software applications, such as cloud finance solutions, and their vulnerabilities. "The vast majority of cyber incidents are economically motivated," according to an AIG report, with targets that include financial data and business plans. In the meantime, the cloud technology where it is housed may leave organisations open to attacks. A total of 68% of malware downloads came through cloud applications, a Netskope study found. A data breach at file-sharing platform Accellion in 2020 affected clients that included Bombardier, Royal Dutch Shell, and the Reserve Bank of New Zealand, according to Compliance Week.
Finance professionals can then play a critical role in securing those assets because of their knowledge of how finances are organised, where the key data is, and what systems are used, O'Brien said.
An organisation's risk register captures and describes identified risks, and finance is often the holder or owner of that register, noted Mary Dowd, FCMA, CGMA, the CFO at Crossword Cybersecurity in London. Finance can ensure that the risk register is being reviewed by the C-suite and the board and that relevant levels throughout the organisation are contributing to it and being made aware of ongoing cyberthreats, she recommended.
Also, as the gatekeeper of transactions with the organisation's outside suppliers, the finance team can offer insights on managing third-party risks, Dowd noted. The damage can occur when cybercriminals can access an organisation's data through its suppliers, subsidiaries, or merger-and-acquisition partners. A World Economic Forum survey found that "almost 40% of respondents have been negatively affected by a third-party vendor/supply chain organisation cybersecurity incident."
Focus on consequences.
Finance is well positioned to quantify and communicate potential results of any failures to effectively address threats, such as the reputational and economic damage that could occur because of a cyberattack. Reputational risk, for example, can diminish an organisation's standing in the marketplace. The damage can occur when a company's customer or vendor data is exposed due to insufficient cyber risk management. It can threaten the survival of even the largest and best-run businesses by harming market capitalisation or future profits, according to a Black Kite report. This can happen if it appears the cyberattack occurred due to lax cybersecurity and can be magnified if the company attempts to cover up the attack or postpones reporting it. As for economic damage, Cybersecurity Ventures expects global cybercrime costs to soar to $10.5 trillion by 2025, up from $3 trillion in 2015. Economic damage can result from outright loss of financial assets due to breaches and from service interruptions that make it impossible to do business, remediation to affected customers or business partners, and costly litigation.
Finance can also take a role in helping to ensure compliance with regulations such as the General Data Protection Regulation (GDPR) and related legal and regulatory mandates. Educating company leadership and other teams about these regulations can help them understand the seriousness of data breaches and how to address them, according to Dowd.
Change thinking about cyber outlays.
Cybersecurity spending should be seen as an investment instead of a cost, O'Brien said. Finance can shift perceptions by reminding organisations that they are securing their operations. "It's more meaningful if that message comes from the people who actually hold the purse strings," he said.
The finance team can also offer informed advice on making the best use of cybersecurity spending and on allocating it properly.
"It's very easy to overspend on cybersecurity or to spend in the wrong areas," O'Brien said. Many companies may waste resources by failing to analyse where money is truly needed, instead throwing cash at the problem and hoping it will prevent all threats. "Finance can help ensure budget decisions are robust and challenged." For example, some organisations may end up paying a great deal for a technology solution simply because it is flashy and new. To prevent that from happening, the finance team might ask why the technology is right for the organisation and whether it truly offers more benefits than, for example, better educating employees on how best to secure the organisation, O'Brien said. Finance might also question whether workers are equipped to use the technology to best advantage. In both cases, an investment in training may be called for.
Be front and centre in planning.
All organisations should have a risk security committee that includes a senior finance person and that sets cybersecurity high on its agenda, Dowd said. The board may also need a cybersecurity risk subcommittee, depending on the organisation's size and the depth of knowledge available on the board, with a senior finance person involved. She recommended that long-term spending plans should consider unknown risks, which may require penetration testing for weaknesses in the organisation's infrastructure.
On the mitigation side, while the incident response plan might be overseen by the CIO, the finance team should be involved as well. "If an organisation is hit with a ransomware attack and must go offline for a few days, knowing what the financial impact might be is key," O'Brien said. "You want someone who really understands the finances of the business to contribute to that assessment." The Gartner report also suggested assigning a finance team leader to the initial response team to evaluate possible economic damage from an attack and develop effective responses.
Set the right tone within the team.
"The leading cause of data breaches is human error," Dowd noted. Finance team leadership can set an example for the organisation by building a culture of cybersecurity that ensures finance professionals operate at the highest standards and have the appropriate resources. Examples to consider in developing standards include the GDPR, the UK's Cyber Essentials aimed at small and medium-size businesses, and the International Organization for Standardization's 27000 Series. "You can use standards and regulations as a tool to consider how to enforce and share the seriousness of data breach and the threats to reputational risks and finances" with the team, Dowd said. In addition, she said that organisational culture should affirm that employees will not be punished for reporting something suspicious.
Continuing professional development within the finance department should include training on new technologies and related cybersecurity concerns. "Cloud migration has enhanced the data backup and recovery but also added risk," Dowd said. At the same time, the internet of things "offers new ways for businesses to create value; however, the constant connectivity and data sharing also creates new opportunities for information to be compromised", according to a Deloitte report. Dowd recommended, too, that organisations consider how the metaverse will affect cyber risk concerns as that technology evolves. Metaverse concepts, such as digital economy innovations like cryptocurrencies, are relevant to businesses already, according to a PwC report, but it added that, "risks are real too".
Cyber risk is complicated and constantly evolving, so the effort can seem overwhelming, Dowd acknowledged. Don't give up, however. "Recognise that not all possible eventualities can be anticipated, but you should have a plan in place which will enable you to react if the worst happens," she said.
— Anita Dennis is a freelance financial writer based in the US. To comment on this article or to suggest an idea for another article, contact Drew Adamek at Andrew.Adamek@aicpa-cima.com.