The media headlines on cybersecurity breaches and loss of personal data make for sober reading, and they are appearing with increasing frequency. Data security is a significant and increasingly expensive business risk. Today, almost every social or commercial interaction creates a digital footprint. Unauthorised disclosure, communication, or manipulation of that data is no longer just an IT issue but an enterprise risk that can have severe financial consequences.
IBM estimates that the global average cost of a data breach in 2023 was $4.45 million, a 15% increase in the past three years. The Wall Street Journal reported that more than 110 million user accounts were leaked through data breaches globally in the second quarter of 2023 alone. In many cases, the damage to an organisation’s reputation and level of trust can dwarf the direct financial cost of a loss.
So, what does this have to do with finance?
Finance has always played a pivotal role in managing data across an enterprise — after all, an accountant’s primary purpose is to ensure the integrity of an organisation’s financial statements that are derived from data generated by business operations.
Historically, finance has focused on financial data stored in the general ledger and sub-ledger systems. The accounting code block and chart of accounts, which define the attributes of transactions and the accounts to which they should be posted, have underpinned a framework of governance, discipline, and data management that worked well for many decades. However, automation, e-commerce, and digitisation have advanced the types of data being used (eg, market, customer, operational, product, service, environmental, health, safety, control, and compliance); and the volume of data has expanded exponentially with no end in sight.
Today, finance is either the owner or a partner with IT or emerging roles such as a chief data officer (CDO) or chief information security officer (CISO), ensuring data security practices are appropriate, comprehensive, and effective. Disciplined governance must now extend from financial data to all data. This data may be housed in many parts of the organisation or with business partners and service providers.
Developing a strategy
An effective data security strategy needs to address all elements of a business’s ecosystem because risk exists at every node. Finance plays an integral role in defining and operating an effective data security system through a combination of governance, stewardship, and risk mitigation. This is a multifaceted role that embraces policy-making, standardsetting, data ownership and stewardship, reporting, and compliance.
The three most important steps in developing an effective data security strategy are:
1. Conducting a data security risk assessment that identifies the types of data within your organisation and the impact of risk events such as (a) data loss, (b) data corruption, or (c) unauthorised disclosure of data.
2. Ensuring the data security policy defines the level of risk the organisation is willing to bear. The four levels of risk to consider are:
- Avoidance. At first glance, risk avoidance might seem the preferred choice. However, not all risks can be eliminated. In some instances, the cost of avoidance may be greater than the risk of loss.
- Reduction. Risk reduction looks to limit the potential impact of data security breaches to a manageable level. One of the simplest examples of data security risk reduction is the evolution of system and website log-on protocols from user-defined passwords that are infrequently changed, to multifactor authentication and biometrics.
- Transference. Risk transference can be accomplished in different ways. Utilising third parties to perform elements of an organisation’s data security and enshrining their responsibilities for ownership, accountability, and liability for different types of data risk in contracts is one such way. Cybersecurity insurance that can mitigate the losses associated with data breaches, cyberattacks, and terrorist acts that disrupt business systems is also available.
- Acceptance. For most organisations, there will be a point at which the cost of control exceeds the risk of loss. In this case, an organisation can choose to accept some level of data security risk. This is equivalent to self-insurance as the organisation chooses to bear the liability associated with any data security breaches.
3. Defining the appropriate combination of policy, process, behaviours, and technologies that will provide a sustainable and cost-effective data security environment.
Besides playing a key role in the development and operation of an organisation’s data security strategy, finance teams typically own the regulatory reporting requirements regarding data security. These requirements are evolving rapidly — in the US, the Securities and Exchange Commission (SEC) issued new regulations in July 2023 requiring that reporting companies provide disclosures annually on their cybersecurity risk management, strategy, and governance.
Also, in the US there is a disclosure requirement on SEC Form 8-K, Item 1.05 to be made within four business days of the “registrant determining that a cybersecurity incident is material”. Under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the UK’s Data Protection Act 2018, reporting by organisations of certain data breaches to the relevant authority must be made without undue delay and at the latest within 72 hours after becoming aware of the breach.
Ensuring that an appropriate mechanism is in place to identify, diagnose, and report breaches is a minimum standard that must be met.
The AICPA has developed a cybersecurity risk management reporting framework that provides a comprehensive outline that management can use to describe their organisation’s cybersecurity programme. Also, an increasing variety of local rules or voluntary standards apply to data security. For example, SOC 2, SOC for Service Organizations: Trust Services Criteria, is a voluntary compliance standard for service organisations developed by the AICPA, which specifies how organisations should manage customer data.
So how does finance assess whether it is an effective partner in an organisation’s overall data and cybersecurity ecosystem? The following checklist provides a guide to the foundational questions CFOs and their teams should be asking themselves.
Cyber and data security checklist for finance teams
1. Have our financial data security standards kept pace with the changes in data sourcing, usage, communication, and storage?
2. Are our controls adequate to address the risk of loss, manipulation, or unauthorised disclosure of financial data?
3. Do we apply the same standards to nonfinancial data such as sensitive customer and personnel data?
4. Are data security requirements embedded in contracts with customers, suppliers, business partners, and employees? Is adequate training and education funded?
5. Have we defined our willingness to pay a ransom in the event of a cyberattack? If so, how much are we willing to pay? To what extent have we insured ourselves?
6. Are our data and cybersecurity functions adequately financed and resourced?
7. Does our board have adequate understanding and expertise in cybersecurity given our risk profile?
8. Do we routinely track changes in data and cybersecurity regulations across all the jurisdictions in which we do business?
9. Do we have a strategy to address emerging risk areas such as artificial intelligence, remote working, and the digitisation or tokenisation of assets on a blockchain where assets are traded on a digital platform?
10. Is our CFO or finance director able to explain the financial consequences of potential data and cybersecurity threats to the executive team, board of directors, investors, and regulators?
Our abilities to generate, process, and analyse data are creating completely new markets and revolutionising existing markets. However, with great opportunity comes great risk. As custodians of the organisation’s financial assets, finance needs to understand the potential impact of data and cyber risk events in terms of direct financial loss and indirect impact on enterprise value and ensure that investments in security are appropriate to the risks the organisation faces.
David A. J. Axson is a former managing director with Accenture, co-founder of The Hackett Group, Inc., and former head of corporate planning at Bank of America. He currently serves as part-time finance director of Shrap, a start-up focused on the digital reinvention of cash. To comment on this article or to suggest an idea for another article, contact Oliver Rowe at Oliver.Rowe@aicpa-cima.com.
AICPA & CIMA RESOURCES
CGMA Cybersecurity Tool: Risk, Response, and Remediation Strategies 2023, November 2023
“Building Cyber-Resilience”, FM magazine, 10 January 2024
“Organisations Ill-prepared for the Stress of Complex Cyberattacks”, FM magazine, 13 April 2023
“SEC Proposals Target Cybersecurity”, Journal of Accountancy, 15 March 2023
LEARNING RESOURCES
Cybersecurity Fundamentals for Finance and Accounting Professionals Certificate
This certificate programme covers several cybersecurity topics to help you gain an understanding of the importance and impact of cybersecurity risks on your organisation or client, including an introduction to AICPA’s cybersecurity risk management reporting framework.
COURSE
COSO Enterprise Risk Management Certificate Program
Learn the concepts and principles of the newly updated ERM framework.
COURSE
IT Governance, Risks and Controls
This course will give you the knowledge and tools necessary to implement and maintain an effective IT governance infrastructure that identifies and addresses IT related risks in support of organisational objectives.
COURSE
