Cyber security has been a major problem for companies since Tim Berners-Lee was a twinkle in his mother’s eye, but it does not appear we are getting anywhere near a real solution. In 2015, a number of the world’s largest organizations suffered massive data breached, including TalkTalk, Harvard University, and even the National Guard. These breaches had highly damaging results - both financially, and to their reputations. The 2015 Cost of Data Breach Study by IBM and the Ponemon Institute found that the average total cost of a data breach was $3.79 million - up from $3.52 million in 2014. Target, for example, paid out $10 million to customers following a breach, many of whom are unlikely to trust the company with their information again.
In a recent survey of CFOs and corporate finance executives by Grant Thornton, half of respondents cited cyber threats as a chief concern. A Protiviti survey of 650 CFOs, vice presidents of finance, corporate controllers, and other finance management professionals further found that the second highest priority for CFOs in 2016 was cyber security risks, behind only margins and earnings performance. Cyber breaches are arguably the biggest threat facing ALL companies at the moment, and the responsibility for ensuring that their data is protected is no longer just the IT department’s, it is the duty of all C-suite executives to play an important role in safeguarding their organization, its assets, and its customer’s interests. And none more so than the CFO.
The CFO is central to an organization’s cyber defense strategy because they have the best view of the entire company’s threat landscape, and can allocate funds to those areas that need the most protection using a risk management cost-benefit model. Companies are realizing this, and increasingly delegating responsibilities to the CFO. According to a survey by the American Institute of CPAs of holders of the Chartered Global Management Accountant designation, 72% of companies have now asked the finance function to take on more responsibility to deal with cyber-attacks.
AICPA Vice President of CGMA External Relations, Ash Noah, said of these findings that: ‘The finance function has a unique view into the complexities of the business, as well as an in-depth understanding of the industry, markets and risk climate, yielding important insights for a company’s strategic direction. As the finance function continues to evolve to become more business-centric, it’s critical for finance executives, from the CFO down, to play a driving role in preparing for and addressing potential cyber-risks for the long-term growth of the company.’
For CFOs, getting a handle on cyber risk can be a frustrating process, as many are not strictly speaking ‘technical’ people. One of primary issues they face is that they typically don’t have trend information on their companies’ vulnerability. They need to work closely with the CIO, the chief risk officer (CRO), and the chief information security officer (CISO) to develop a cohesive strategy, and maintain communication so as be constantly vigilant. They also need to work together to share knowledge. Most CFOs understand the need to play an active role in managing cyber security, but many lack a real understanding of the threats they face and the tools they might use to neuter them. Research by recruitment firm Harvey Nash, who interviewed almost 200 senior cyber security professionals, found that 41% of cyber security professionals believe their CFO has a major gap in their understanding of cyber risk, or don't understand the risk at all. CFOs need to work hard to either fill the holes in their knowledge, or correct the impression that they have them.
Perhaps the most vital thing for CFOs to understand is that no protection against cyber attacks is going to be absolutely foolproof. Target and TalkTalk would certainly have thought they had everything in place to mitigate the risks, probably until the moment the first tranche of customer details were posted all over the internet. Protection requires constant investment to keep up, and even with this expenditure, it is still pretty much inevitable that you will be attacked. Verizon has found that almost 80% of attackers took just days to infiltrate their targets, yet only a third of companies managed to detect the attacks within the same time frame. The aim is not keeping people out, it’s about building the strategy and processes to identify and counter a breach as soon as possible.