14 December 2017 | By Vineet Khurana Community

The CFO and cybersecurity

A chief financial officer must understand the risks, how cyber threats are managed and the costs involved

Chief financial officers are playing an increasingly important role in the fight against cyber attacks. In more and more cases, it falls to them to advise other board members on the possible financial impact of a data breach and ensure that sufficient funds are allocated for preventing and containing potential incidents. As data becomes one of the most important assets for many organisations, the CFO must start to actively think about data security.  

But first CFOs must understand the risks and how cyber threats are managed.

Understanding cybersecurity risk

CFOs should work with security experts to assess the company’s most valuable digital assets and who has access to them. Having a clearer picture of how data assets are linked to different systems, suppliers, external stakeholders and employees within the organisation will help the CFO when allocating funds for cybersecurity activities.    

IBM surveyed over 700 C-level executives on cybersecurity and found that many business leaders are confused about the true nature of cybersecurity threats and how to effectively combat them.

The study revealed that executives within finance, HR and marketing felt the least engaged in threat management activities, despite being responsible for some of the most sensitive information in their organisations. This disconnect must be addressed if organisations are to bring down the cost of cybercrime. And that means improving trust across all teams and investing in training.  

Know your cyber defence

CFOs should be more curious and ask questions about existing policies and systems governing access to sensitive information. For example, what measures are in place to prevent external hardware, such as guests’ laptops, from entering parts of the company network that should not be accessible?

They will also need to be mindful of the General Data Protection Regulation (GDPR) coming into force on 25 May 2018. This stipulates new requirements for processing and handling data – as well as potential fines for failings of up to €20m, or four per cent of annual turnover of the preceding financial year, whichever is higher.

Assess the financial impact of a breach

Many organisations spend capital and resources on breach prevention and put less emphasis on breach detection and containment. Yet the majority of the costs associated with a data breach can be dramatically reduced by improving the speed and effectiveness of response to cyber incidents.

IBM’s study into the financial impact of cybercrime revealed that the average total cost of a data breach in the UK is approximately £2.5m – and that cost is directly related to the time it takes to identify and contain the breach. The data also revealed that the mean time for identifying a breach is around 200 days, exposing organisations to significant risks.

To be able to evaluate the financial impact, CFOs need to understand what processes the business has in place to detect breaches and minimise the scope of potential attacks.

Collaborate to combat cyber threats  

The organisations most successful in effectively combatting cyber threats are the ones which foster strong collaboration across their businesses. It is vital for CFOs to work with the rest of the board, the IT department and the security team.

As the CFO gets closer to the security team, they get a much clearer picture of the costs associated with building a cybersecurity strategy. Think for a moment about the potential direct costs for audit and consulting services, legal and compliance advice, compensation to victims of a breach, as well as losses resulting from potential customer churn.

Think also about indirect costs such as the time and organisational resources required to contain a breach as well as potential reputational damage and lost business opportunities. CFOs will need to decide on investment in technology, training and resource planning to ensure the business is ready to deal with a breach.

We have seen some very real examples of the cost to business, and society, when organisations are hit by cyber attacks – with WannaCry and Petya ransomware causing notable damage in the UK. What continues to be alarming is that businesses are not prepared for, or responding to, cyber attacks in a timely manner. Only 25 percent have an incident response plan applied consistently across the organisation and 23 per cent have no incident response plan at all.

To be better prepared for cyber breaches, companies will need to have a clear and integrated cybersecurity strategy where all lines of business have responsibility for that plan. The CFO has a unique position from which to drive the cybersecurity strategy, so that there’s a better chance of shutting incidents down quickly – and, therefore, reducing the financial and reputational impact to an organisation.

Join the discussion