Next Steps
Embrace Regulatory Trends to Drive Change
The U.S. Securities and Exchange Commission has proposed rules for publicly traded companies that would amplify CFOs’ role in cyber security. These rules would require reporting of cyber incidents and updates on previous incidents, reporting on policies and procedures to identify and manage cyber risks, reporting boards of directors’ oversight of cyber risk, management’s assessing and managing of cyber risk, and annual reporting on the board’s cyber expertise. The SEC’s focus on cyber security reflects how important this issue has become for shareholders and customers—it is one that CFOs need to pay particular attention to.
CFOs can turn the SEC requirements and other regulators’ requirements on cyber into more effective management of cyber risk by:
- Building cyber risk assessments—which are required by regulators—into the overall cyber security program
- Ensuring that policies and procedures meet or exceed the minimum standards spelled out by regulations and best practices, and that they are adequately implemented
- Considering the unique requirements of their organization in how it manages data and what controls are in place to protect that data
Join Forces With Your CISO to Build Security “Muscle Memory” in the Organization
As the CISO role increasingly becomes more distinct from the CIO and IT department, a natural alignment should begin to form between the CISO and the CFO. With both concerned about risk, they can work together from both a strategy and investment perspective, as well as find a rhythm for how their combined response would work in an incident. Simulating incidents ahead of time builds the “muscle memory” of incident response, avoiding bureaucracy that could slow operations or risk further damage.
As part of an incident response plan, the CFO should know whom to call, what emergency funds they have available, and what legal steps they need to take when an incident occurs. For example, if a ransomware payment is necessary, it will lead to significant financial, legal and risk considerations for the business that should be well thought-out ahead of time. There are also practical questions to consider, such as the need for a cryptocurrency account or third-party engagement.
Align Information Security to Key Business Metrics
CFOs can help CISOs navigate the financial risks of cyber while meeting key business metrics such as profit margin and operational efficiency. Part of the CFO’s cyber responsibilities lie in measuring the financial impact of potential and actual cyber incidents. Besides the costs of money or stolen data, response, restoration and recovery costs need to be considered, as well as the funds needed to improve cyber resilience for the future. There are also further losses to incorporate around reputation, customer attrition and company value.
With the tactical response underway, the CFO can keep an eye on wider business goals, with a sense of what “good” looks like in terms of the financial overhead of an incident response.
Conclusion
As cyber security takes on more importance for a company—impacting operations, revenue and costs, reputation, and company value—so does the financial risk of cyberattacks. Judging by the survey results, CFOs are out of the loop when it comes to cyber planning. To engage, they need to participate at multiple levels, from tabletop exercises for simulated cyberattacks to close coordination with CISOs in advising and participating in audit and risk committees at the board level. Cyber risks and their consequences are ever evolving, and CFOs’ understanding of them must be as well.
At a time when cyberattacks are rife and continue to cause millions of dollars in costs while shaving off company value, failing to become involved in cyber security would be a misstep by the CFO, one that needs to be rectified fast.
Download the Report
Methodology
studioID of Industry Dive, in partnership with Kroll, surveyed senior finance executives to determine how cyber security is impacting finance at their organization. More specifically, we asked 180 finance leaders across industries about their confidence in their organization’s ability to detect and respond to cyber incidents, how many cyber incidents they’ve encountered, and the impacts, both tangible and intangible, of these incidents on their organization.
Source
1https://www.wsj.com/articles/tech-chiefs-plan-to-boost-cybersecurity-spending-11577701802