Managing Cybersecurity Risk: The Role of the CFO

By Fuad Ahmad

According to Cybersecurity Ventures, cybercrime will inflict damages totaling $6 trillion, globally in 2021. Cybercrime costs are projected to increase at an annual rate of 15% over the next 5 years, bringing in more profit to organized crime syndicates than global trade in all illegal drugs.

Cybersecurity Risk: The Scope of the Problem

While the majority of cyber attacks are not made public, recent high-profile incidents have cost U.S. companies dearly in terms of brand equity, consumer confidence as well as financially. The cost of the 2020 SolarWinds breach by Russian security forces is still being assessed. Sony’s 2014 breach by North Korean operatives cost the company an estimated $1.25B, Home Depot’s cost $33m and Target’s cost $162M. Today, managing cybersecurity risk is just one of the more critical elements in managing enterprise risk, and central to the role of the Chief Financial Officer at any company.

Cybersecurity issues have ballooned for companies over the past decade in part, due to the increasing use of mobile devices and smart phones, the expanded use of cloud-based SaaS apps storing personal data, the prevalence of social media and most recently, the “work-from-home” trend fueled by the COVID-19 pandemic. Data is more broadly stored on private and public IT infrastructures, in private and public cloud data centers and on personal computing devices (PCs, laptops, tablets, and smartphones), to say nothing of on IoT (Internet-of-Things) devices from smart speakers (Alexa, Google Assistant) to TVs. Therefore, Cybersecurity risks are pervasive across entire organizations, and creating a strategy for managing cyber is one of the most important elements of any successful enterprise risk management program.

Data protection initiatives at companies must extend across repositories of customer data, employee personal data, company proprietary assets, and intellectual property. Mitigation efforts must include stopping the viewing and manipulation of sensitive data as well as the copying and transmitting (stealing) of it. While email and phone phishing schemes are often the most common focus of cybersecurity risk mitigation, malicious insider activity, code manipulation, and web-based malware and bot risks are also key targets of enterprise risk management programs. Today, companies must move beyond the two-factor email authentication policies of the past and adopt robust cross-functional policies and safeguards which even embrace the programs in place across corporate ecosystems of vendors, suppliers, and third-party partners. In fact, cybersecurity has become a key element for many companies in M&A deals.

The Role of the CFO in Managing Cybersecurity Risks

Chief Financial Officers play a critical role in cyber defense, along with Chief Information Officers, Chief Technology Officers, Compliance and Risk Officers, and increasingly General Counsels and Internal Audit teams. Chief Information Security Officer (CISO) roles are emerging (often reporting to the CFO) at many companies, and HR and Operation teams becoming critical to cyber risk management program rollouts and communications.

And while CFOs may not have direct reporting relationship with CIOs and/or CISOs, they often still find themselves at the center of cybersecurity issues.  Lack of reporting responsibility does not in any way diminish the role of the CFO in developing a strong cyber defense strategy at a company.

CFOs, as partners of the CEOs and board members, are in a unique position to add value when it comes to cybersecurity. They can do this in three essential ways:

• Assessing company risks and vulnerabilities and helping to resource risk mitigation initiatives
• Creating and helping implement an enterprise-wide cybersecurity, integrated policy and program
• Educating and informing the board about risk trends, the company’s risk profile, and cyber mitigation efforts

Assessing Cyber Risks and Resourcing Cybersecurity Programs

As a key advisor to the Board Audit Committee the CFO plays a key role in risk identification, management, and mitigation. CFOs should help CIOs outline the company’s risk profile, identifying specific areas of potential impact based on what types of sensitive data pose exposure risks. They can weigh in on decisions about outsourcing sensitive data storage to third-parties to reduce the company’s risk exposure and insurance policy coverage. And they can also help the CIO cost-justify investments in cybersecurity policies and programs, ensuring that the CEO and board adequately resource these initiatives based on the projected costs (financial, marketing/sales, brand equity, etc.) implied by a cyber breach. Finally, CFOs can also help ensure that the company conducts annual reviews of all security protocols, and regular testing of security procedures at the department level.

Creating a Robust Cybersecurity Defense Plan

A strong cybersecurity program requires a cross-functional line of defense across the enterprise. Many companies have begun to implement Cybersecurity Task Forces and formal Incident Response Plans to begin to institutionalize this cross-functional collaboration around cyber risk management. These initiatives are increasingly focused on both more effective breach detection, as well as how, companies are specifically being targeted by cyber criminals.

IT, Finance, Legal can all play a role in the creation and ongoing finetuning of the cybersecurity program at any company. While the CIO and IT owns the “tools” (data encryption, antivirus program decisions, firewall safeguards, password controls, and mobile device management policies), the CFO and Finance team need to be intimately involved in data protection policy setting and the development of internal controls across the enterprise. The General Counsel and legal team are also critical in ensuring compliance with regulatory and security law privacy requirements.

For startups and emerging companies, this level of resource commitment is challenging to meet, and when customer and other sensitive data is outsourced to third-parties, effective cybersecurity program development gets even more complex. In these situations, CFOs can play an even more important role. CFOs can help scale the cybersecurity development process at smaller enterprises to that organization’s current capabilities and resources. And at larger companies, they can help promote extension of internal cyber control policies to relevant third parties.

Board Advisory Role: Audit Committee

The third area of cybersecurity risk management involves a CFO’s role advising the Board and board committees, especially the Audit Committee. The Audit Committee bears primary responsibility within the enterprise for risk management, ranging from physical risks (fire, flood, earthquakes) to pandemics, regulatory risks, IP management, fraud, and cybersecurity risks. They are responsible for both staying up[to-date on cyber trends and the company’s evolving risk profile, as well as making decisions about investment in cyber protections.

The CFO’s role (together with the CIO) is to help educate the Audit Committee about changing cyber trends and risks as well as ensure that the Committee has all the relevant facts (and projected scenario impacts) necessary to make the best possible cyber investment decisions.

CFOs are also pivotal when it comes to understanding the relationships between business strategy and cybersecurity risk. They must own the business processes which require internal controls related to cyber risk mitigation, and provide oversight to the IT function’s responsibility and accountability for managing these cyber risks. They must also ensure that the organization is set up with a strong internal and external audit capability in case of a breach.

Managing cybersecurity risk has become more imperative and increasingly complex over the past decade. Chief Financial Officers can add significant value to cybersecurity program development and implementation by leveraging their strong cross-functional relationships, their reliance on evidence-based decision making, and their independent mindsets and perspectives at any enterprise – from the smallest to the largest.