Cyber Risk and CFOs: Over-Confidence is Costly

Our CFO cyber security survey has shown that Chief Financial Officers are highly confident in their companies’ abilities to ward off cyber security incidents, despite being somewhat unaware of the cyber vulnerabilities their business faces. Almost 87% of the surveyed executives expressed this confidence, yet 61% of them had suffered at least three significant cyber incidents in the previous 18 months. Moreover, they admitted to being out of the loop: 6 out of 10 were not regularly briefed by the cyber team, and nearly 4 out of 10 had never received such an update, according to the survey conducted by Kroll and studioID of Industry Dive. 

The CFOs also put a price tag on the cyberattacks they had suffered in the previous 18 months: between $10 million and $25 million for about one-third of companies who suffered a significant security incident, and more than $25 million for almost 16% of the companies. It is imperative that CFOs and their finance teams up their involvement in cyber investment, from planning to prevention and response strategies. Failing to do this leaves CFOs out of the loop on cyber issues and threatens the business with significant—and, critically, unexpected—financial consequences.

Next on the list of top causes of significant cyber incidents were attacks arising from a vendor—also known as supply chain attacks—cited by 62% of the survey respondents, and publicly exposed databases, cited by 53%. Insider threats were the source of compromises for 41%.

Despite intense media coverage, organizations seemed to experience ransomware attacks less. Only 33% indicated ransomware as the cause of incidents in the last 18 months, the least of any cyber threat cited.

Wide-Ranging Damages

Companies suffer damage from cyberattacks across a wide spectrum of impact areas.

The survey identified the top financial impact coming from cyber and privacy counsel, followed by vendor costs related to forensic investigations. Next on the list were crisis communications, customer notification and credit monitoring costs, followed by insurance premium increases and ransom payment and negotiation costs as the fifth-most-cited impact.

And even though ransomware wasn’t high on the list of incident causes, CFOs still reported ransom payment and negotiation as one of the highest financial impact drivers.

Other tangible financial impacts cited from cyberattacks include strengthening cyber security following an incident, capital spending for hardware and software, borrowing costs, regulatory penalties, and loss of revenue. Intangible costs cited by the survey were impairment of brand, intellectual property or goodwill; loss of customers; and reputational damage.

Regional Perspective

Of the 180 CFOs, CEOs and other financial executives surveyed – all of whom were involved with quantifying the financial impact of cyber attacks at their companies and with budget oversight or planning for information security – nearly 60% were from North America, 20% from EMEA and 20% from APAC.

Next Steps

Embrace Regulatory Trends to Drive Change

The U.S. Securities and Exchange Commission has proposed rules for publicly traded companies that would amplify CFOs’ role in cyber security. These rules would require reporting of cyber incidents and updates on previous incidents, reporting on policies and procedures to identify and manage cyber risks, reporting boards of directors’ oversight of cyber risk, management’s assessing and managing of cyber risk, and annual reporting on the board’s cyber expertise. The SEC’s focus on cyber security reflects how important this issue has become for shareholders and customers—it is one that CFOs need to pay particular attention to. 

CFOs can turn the SEC requirements and other regulators’ requirements on cyber into more effective management of cyber risk by:

• Building cyber risk assessments—which are required by regulators—into the overall cyber security program
• Ensuring that policies and procedures meet or exceed the minimum standards spelled out by regulations and best practices, and that they are adequately implemented
• Considering the unique requirements of their organization in how it manages data and what controls are in place to protect that data

Join Forces With Your CISO to Build Security “Muscle Memory” in the Organization

As the CISO role increasingly becomes more distinct from the CIO and IT department, a natural alignment should begin to form between the CISO and the CFO. With both concerned about risk, they can work together from both a strategy and investment perspective, as well as find a rhythm for how their combined response would work in an incident. Simulating incidents ahead of time builds the “muscle memory” of incident response, avoiding bureaucracy that could slow operations or risk further damage.

As part of an incident response plan, the CFO should know whom to call, what emergency funds they have available, and what legal steps they need to take when an incident occurs. For example, if a ransomware payment is necessary, it will lead to significant financial, legal and risk considerations for the business that should be well thought-out ahead of time. There are also practical questions to consider, such as the need for a cryptocurrency account or third-party engagement.

Align Information Security to Key Business Metrics

CFOs can help CISOs navigate the financial risks of cyber while meeting key business metrics such as profit margin and operational efficiency. Part of the CFO’s cyber responsibilities lie in measuring the financial impact of potential and actual cyber incidents. Besides the costs of money or stolen data, response, restoration and recovery costs need to be considered, as well as the funds needed to improve cyber resilience for the future. There are also further losses to incorporate around reputation, customer attrition and company value.

With the tactical response underway, the CFO can keep an eye on wider business goals, with a sense of what “good” looks like in terms of the financial overhead of an incident response. 

Conclusion

As cyber security takes on more importance for a company—impacting operations, revenue and costs, reputation, and company value—so does the financial risk of cyberattacks. Judging by the survey results, CFOs are out of the loop when it comes to cyber planning. To engage, they need to participate at multiple levels, from tabletop exercises for simulated cyberattacks to close coordination with CISOs in advising and participating in audit and risk committees at the board level. Cyber risks and their consequences are ever evolving, and CFOs’ understanding of them must be as well. 

At a time when cyberattacks are rife and continue to cause millions of dollars in costs while shaving off company value, failing to become involved in cyber security would be a misstep by the CFO, one that needs to be rectified fast.

Methodology

studioID of Industry Dive, in partnership with Kroll, surveyed senior finance executives to determine how cyber security is impacting finance at their organization. More specifically, we asked 180 finance leaders across industries about their confidence in their organization’s ability to detect and respond to cyber incidents, how many cyber incidents they’ve encountered, and the impacts, both tangible and intangible, of these incidents on their organization.

Source
¹https://www.wsj.com/articles/tech-chiefs-plan-to-boost-cybersecurity-spending-11577701802