Cybersecurity and the CFO
Cybersecurity and the CFO
CFOs today are increasingly tasked to take on more responsibility for cyber defense strategies.
In May, the massive ransomware attack, WannaCry, infected over 200,000 computer systems in more than 150 countries, and the Cyber Security Agency of Singapore (CSA) estimated that about 500 Singapore IPs were compromised1. Immediately after came the Petya attack, which was described as "more dangerous and intrusive" than WannaCry, having paralyzed computer systems at companies such as A.P. Moller-Maersk, WPP plc, FedEx, Merck and many others2. With cyber criminals employing more sophisticated techniques in their attacks, even corporations with savvy prevention and protection systems are in danger of cyber-attacks.
No longer an IT issue
It’s little wonder that KPMG’s 2017 CEO survey showed that CEOs still consider cybersecurity as one of their top risk concerns. Considering that hardly a day goes by when one does not read about a data or security breach in the papers, cybersecurity can no longer be just the domain of “the IT guy”. Leadership teams need to ensure that people in all parts of their organization understand cyber issues and their impact.
Indeed, cybersecurity is a cross-functional consideration for the 21st century enterprise, and CFOs and finance teams find themselves increasingly asked to take on more responsibilities for organization-wide strategy, including aspects of cybersecurity strategy.
This should not come as a surprise, since the CFO is privy to some of the most sensitive and important (data) information such as strategic plans, revenues, forecasts, investments, proposed mergers and acquisitions, supply chain, and other information that gives their organization a competitive advantage. They are at the nexus of organizational activities and have an overview of which intangible assets create value for their business, and have the responsibility to safeguard these assets, too.
CFO’s role in cybersecurity
CFOs do not need to be cybersecurity experts, but they will need an understanding of what are their critical information assets and where these are residing at all times, how they are secured, who might want to steal them, and how attackers might gain access to them. Information assets, such as customer data and intellectual property, need to be protected. This is especially so if the asset is a critical information asset, providing the company with either a competitive advantage or is considered sensitive to their customers and other stakeholders.
Being more attuned to seeing enterprise-wide risks, CFOs can also assess the viability of the cybersecurity strategy and facilitate its alignment with the business strategy of their organization. Some potential questions to ask are:
- Does your organization have an over-arching cyber readiness strategy that integrates the people, process and technology elements of cyber risk?
- What is the organization’s risk tolerance level?
- What is the most valuable information asset in the business?
- Is the information security budget sufficient?
- What is the financial and reputational impact if normal business operations are interrupted by a cyber-incident?
- What is the cyber incident response plan? When was the last time these were tested?
CFOs looking to shore up their cyber defenses can allocate funds to projects using a risk management-cost benefit model. Many times, it is challenging to convince a company’s board of directors that there is return-on-investment (ROI) for a risk that may not eventuate. But CFOs are in a good position to justify to the board the ROI for cybersecurity investment in a way that is contextually tailored to the value of their data and business operations.
Consider the human element of cybersecurity
In addition to a cybersecurity readiness strategy focused on the people and process aspects, a strong IT security infrastructure is a critical part of any cybersecurity program. Ensuring that systems and networks are sufficiently secured with a breach prevention platform approach is a must. Yet, it may be impossible to fully prepare the organization for unknown cyber threats. Hence, it is not a matter of ‘if’ but ‘when’ a cyber attack will be successful. CFOs can help facilitate a cybersecurity strategy that incorporates investment in new techniques for detection of and response to cyber attacks, in addition to the traditional protection and prevention approach to cybersecurity.
The reality is investing in cybersecurity technology is only one piece of the puzzle – the human element also plays a critical role when it comes to the organization being cyber secure. One effective way to reduce the success of cyber attacks (such as malware delivered through phishing and spear phishing) is to train employees on the receiving end, to recognize what such attacks look like. This is especially important in a function like finance, who has access to sensitive information. Internal phishing drills, for example, could be one way to increase employees’ cyber awareness and train them to spot spear phishing emails, to help reduce the incidence of malware like ransomware being introduced into the organization.
For the 21st century enterprise, cybersecurity is really what makes an organization’s business models operational. A high-quality cyber preparedness program will help keep information safe and secure, and also improve the integrity of that information.
In fact, most CFOs we spoke to recognize that cybersecurity is a core value proposition for organizations to drive customer growth. It is closely tied to customer loyalty and trust as well as innovation. Regardless of business nature, whether an organization is in consumer goods, government services or in telecommunications, every organization today is now a technology- enabled organization. Thus every organization needs to keep a vigilant eye on cybersecurity.
This is part of the ACCA Singapore’s Smart Finance series with KPMG, which will share topics to equip Digital CFOs and help them adapt to changes brought about by the impact of digital disruption.