Published on the 30/01/2019 | Written by Jonathan Cotton
When financial risk is a cyber risk, should CFOs be taking greater responsibility for security?...
The business environment – and specifically the IT business environment – is a rapidly evolving beast. As new cloud and mobile-based business models emerge, as the regulatory environment grows more complex and focused on strengthening customer data rights, and as cyber attacks grow more frequent and sophisticated, the nature of ‘risk’ – at least as far as its understood by CFOs – is changing.
Not only do cyber attack events like WannaCry and the Equifax hack grab global headlines, the cost of such breaches can be news itself: The former is estimated to have cost the UK’s National Health Service almost £100m; the latter, US$439m.
The average cost of a data breach? More than US$3.8m, according to the Ponemon Institute, not including reputational damage, lost business customer turnover and operational costs.
“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” says Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).
“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”
But that investment is typically low. According to Gartner, just five percent of company IT budgets are directed towards security.
Given that cyber attacks now account for a clear and present financial risk – and as the distinction between financial risk and cyber-risk breaks down – there’s a growing chorus calling for C-suite bean counters to get serious about cyber.
One survey counted 40 percent of IT professionals believing the C-suite doesn’t take cybersecurity seriously enough. A recently published CFO security guide, urges CFOs to, among other things, establish insider-threat programs to mitigate the risk of a cyber breach from within, determine cyber liability insurance coverage and to work towards the development of their organisation’s incident response, disaster recovery and business continuity plans.
“Right now, there’s a disconnect between most CFOs and security practitioners when it comes to fortifying the company against cyber attacks,” says CFO of Tenable, Steve Vintz.
That’s got to change he says.
“By becoming an active member of the security team, rather than just a passive observer, the CFO, along with the CEO and the rest of the C-suite, can significantly reduce revenue leakage through a more focused and effective cyber security technology portfolio.”
And the time is now, because if the potential losses isn’t enough to motivate, leave it to the EU: the far-reaching GDPR carries penalties for non-compliance, with fines of up to €20 million or four percent of the company’s entire annual revenue, whichever is greater. The US is getting serious too – just ask Uber, still hurting from its US$148 data breach fine.
But the message may be getting through. A new report from Grant Thornton says CFOs and senior finance executives are beginning to take a more active role in managing cybersecurity, with 38 percent of CFOs saying they take responsibility for their firms’ cybersecurity.
“CFOs should take on the mantle of cybersecurity, even though their job functions don’t specifically involve it,” says security advisor Alan Levine.
“As well, they should encourage the entirety of the C-suite to follow suit, as a top-down cybersecurity culture that has senior management leading by example can play a significant role in mitigating the risk of social engineering–driven fraud.”
In a rapidly changing business environment, it’s now the CFO’s role to understand the conflict, and the stakes, involved in a company’s IT realities, and to take an active role in managing them. While it might be a bridge too far to say that cybersecurity is now the responsibility of CFOs alone, managing today’s cyber gap – and the security challenges tomorrow will surely bring – will require perhaps unprecedented collaboration between CIO, CISO and CFO.
“A CFO who is sensitised to cyber risk can be a crucial ally to an organisation’s overall cybersecurity posture,” says Levine.
“It really comes down to a willingness to accept cybersecurity as part of the CFO accountability.”