The CFO and cyber security: Staying resilient in the age of digital

By Vineet Khurana, Chief Financial Officer, IBM UK & Ireland

Data is the new national resource and is increasingly becoming one of the most important assets for many organisations.  With this being the case, CFOs must actively think about data, and data security, as their department manages some of the most sensitive information that exists.  In this increasingly digitally connected world, data is an attractive currency for cyber criminals.  CFOs must view data security as part of the holistic risk picture for the organisation.

More and more, the CFO is starting to play an important role in advising other board members on the possible financial impact of a data breach, ensuring that sufficient funds are allocated for preventing and containing potential incidents.  To be able to do this effectively, CFOs require an increased knowledge on how cyber threats are managed, as well as having an understanding of cyber security risk, and that means working a lot more closely with security experts. 

Understanding cyber security risk

To better understand the security risks facing their organisations, CFOs should work with security experts to assess the company’s most valuable digital assets, the breadth of access to these assets and understand the infrastructure supporting them.  This analysis will help the CFO when allocating funds for cybersecurity activities.

By understanding how data assets are linked to different systems, suppliers, external stakeholders and employees within the organisation, the CFO gets a clearer picture of the cybersecurity posture for that company.  Historically, CFOs haven’t had a clear view of cyber risk, which includes breach management, and that has made decision making a challenge when it comes to financial planning for cyber security.

IBM surveyed over 700 C-level executives on cybersecurity and found that many business leaders are confused about the true nature of cybersecurity threats and how to effectively combat them.

While cyber security was viewed as a top concern to 68% of CXOs, the study revealed that executives within finance, HR and marketing felt the least engaged in cyber security threat management activities, despite being responsible for some of the most sensitive data within the organisation.  This disconnect has to be addressed if organisations are to get better at bringing down the cost of cybercrime.  Greater trust will be required across all teams, with companies investing in training their employees in the language of cyber security. 

Know your cyber defence

CFOs can start to become more curious and ask questions about how the company data is encrypted, where the encryption keys are stored and what the existing policies and systems are that govern access to sensitive information.  For example, CFOs will want to know that the organisation has put into place security measures that prevents external hardware, such as guest’s laptops, from entering parts of the company network that should not be accessible.

Businesses will have to be mindful of the General Data Protection Regulation (GDPR), which comes into force on May 25.  Companies will encounter new requirements for processing and handling data. There will also be a significant change in potential penalties with fines of up to €20 million, or 4% of total annual turnover of the preceding financial year, whichever is higher.

Digital commerce, coupled with how organisations are accountable for their data management, will mean that spend on cyber security will be forced to become much more of a boardroom priority. 

Assess the financial impact of a breach

When looking at budget planning, it is important for CFOs to assess the potential financial impact of a security incident.  Many organisations spend capital and resources on breach prevention and put less emphasis on breach detection and containment. The majority of the costs associated with a data breach can be dramatically reduced by improving the speed and effectiveness of response to cyber incidents.

IBM’s study into the financial impact of cyber crime revealed that the average total cost of a data breach in the UK is approximately £2.5 million. The findings of the study suggest that the cost of data breaches is linearly related to the time it takes to identify and contain the breach. The data also revealed that the mean time for identifying a data breach is around 200 days.

The gap between breach occurrence and detection exposes organisations to significant risks. To be able to evaluate the financial impact, CFOs require an understanding of what processes the business has in place in order to detect a breach and minimise the scope and scale of a potential attack.

Collaborate to combat cyber threats  

Cybersecurity requires a symbiotic relationship between the CFO and security leaders.  As the CFO gets closer to the security team, a clearer picture of the direct and indirect costs associated with building a cyber security strategy becomes much more visible.  Think for a moment about the potential direct costs for audit and consulting services, legal and compliance advice, compensation to victims of a breach, as well as losses resulting from potential customer churn.

Indirect costs will also have to be accounted for such as time, organisational resources required to contain a breach, reputational damage and lost business opportunities. CFOs will need to decide on investment in technology, training and resource planning to ensure the business is ready if impacted by a breach.

To fully understand the impact of a security breach, it is vital for CFOs to work in collaboration with the rest of the board, the IT department and the security team.  There is evidence to suggest that the organisations which are most successful in effectively combatting cyber threats are the ones who foster stronger collaboration across the business.

We have seen some very real examples of the cost to business, and society, when organisations are impacted by cyberattacks, with the WannaCry and Petya ransomware attacks causing notable damage in the UK.

What continues to be alarming is that businesses are not prepared for, or responding to, cyberattacks in a timely manner.  Only 25 percent have an incident response plan applied consistently across the organisation and 23% have no incident response plan at all.  66% cite a lack of planning as their organisation’s biggest barrier to becoming resilient to cyberattacks.

With a clear and integrated cybersecurity strategy in place, where all lines of business have responsibility for that plan, cyber incidents have a better chance of being quickly shut down, therefore, reducing the financial and reputational impact to an organisation.