What today’s CFOs need to know about cyber risk
Cyber risks are financial risks, so today’s CFOs should see working with IT on a cybersecurity strategy as part of the job.
In Brief
- Cyberattacks have financial impacts, so CFOs must be engaged with cybersecurity strategies.
- Business impacts of a successful cyberattack may include financial loss, denial of service, and ongoing reputation and brand damage.
- The CFO’s role should include quantifying the financial and reputational impact of cyber risks to the board and ensuring that counter measures are appropriate and cost effective.
Story Beverley Head
Photo Nic Walker
If you’re a finance leader who thinks cyber risk is someone else’s problem – probably the IT department’s – it’s time for an urgent rethink. Examining the entrails of 53,000 global cyber incidents in 2018, global communications technology and security specialist Verizon determined that 76% were financially motivated.
The truth is that every cyber breach costs money, but a recent report reveals CFOs are currently way down the executive pecking order in terms of who sets the direction for cyber strategy.
The Cyber and the CFO report, from the Association of Chartered Certified Accountants (ACCA) and Chartered Accountants Australia and New Zealand (CA ANZ), reveals that only 8% of CFOs are involved in cybersecurity strategy, despite cybersecurity being essentially a business risk. [The CEO tops the list at 28% for setting cybersecurity strategies, then chief information security officer (CISO) 18%, IT manager 13%, and chief information officer (CIO) 11%.]
The report, based on a survey of more than 1500 members globally in October 2018, also found that a full 10% of survey respondents didn’t know who in their organisation was responsible for cybersecurity. Most weren’t even sure if their business had suffered a data breach.
Cyber and the CFO melds the survey results with analysis by the Optus Macquarie University Cyber Security Hub and the latest cybersecurity literature.
“CFOs need to understand that their organisations are under attack all the time and it is vital that they are kept informed about this,” the report warns.
That doesn’t mean CFOs have to become tech experts. But they do need to show leadership on cybersecurity spending and governance decisions related to it.
“I’m not technical at all – I struggle to get to grips with this stuff, even the experts struggle,” says Macquarie University CFO Robin Payne. His advice to other finance leaders is to “get with your CIO or someone who is tech savvy and get them to explain what is going on in layman’s terms.”
“Get with your CIO or someone who is tech savvy and get them to explain what is going on in layman’s terms.”
Instead of trying to understand the technicalities of how a cyber incident could arise, Payne recommends CFOs concentrate on its potential impacts.
Formerly CFO of NBN Co, which is responsible for Australia’s national broadband network, Payne has an acute understanding of the ups and downs of a hyper-connected world. He stresses that no CFO can afford to ignore cybersecurity.
“Even if some of the cyber threats are not financial in the first instance, they nearly always end up having a financial impact somewhere along the line.
“Direct financial threats – cyber fraud and so on – those clearly fall under the CFO’s sphere of influence, but [while] a denial of service might not have an immediate direct effect it certainly has an indirect one.”
What is a whole-of-enterprise approach to cybersecurity?
Robin Payne, Macquarie University CFO, in the data centre.
While Payne acknowledges the need for CFO engagement in the cybersecurity issue, he stresses that all employees need to be trained and engaged.
“The CIO and CFO are front and centre, but this needs a whole-of-organisation approach. Part of my role as CFO – and it’s a hard one – is making sure you are putting enough resources into countering the threat because it is such an amorphous mass it is hard to get your arms around,” he says. “It’s hard to compare what we do with what some of our peers in the sector do, let alone completely different organisations.”
CFOs need to be on the front foot in terms of ensuring stakeholders – including vendors, customers and clients – are notified in the event of an incident.
“There also needs to be a lot of effort on the technical side which sits in the IT domain in terms of making sure firewalls are up to date, and that there are sweeps of licences to make sure no-one is working off old systems that don’t have proper encryption.
“And a lot around training – we do quite a lot in my finance team, using online training to make sure people are aware of the threats and what they should do in the event something happens to try to raise awareness.”
Payne adds that CFOs need to be alive to the security implications of digital transformation. For example, Macquarie University is moving away from running its own data centres to using cloud computing. But that doesn’t allow a company to abdicate its cyber responsibilities. A 2018 report by cybersecurity firm McAfee revealed that one in four enterprises had endured some form of data theft from a public cloud.
How to build a cyber-aware culture amongst CFOs
Ernest Stabek FCA, the principal of SIP Management Consultants, works closely with C-suite executives. He says cyber risk “comes up in conversations every day” and notes the knowledge of his clients “varies dramatically”.
He believes many CFOs lack the information and insight they need to take a greater role in cyber protection, then fall victim to the “cyber wash” peddled by some security vendors who suggest the more money thrown at technology protection the safer a business will be.
Technology solutions alone can never entirely protect an organisation; there needs to be a combination of technical products, education, cyber-aware culture and good governance. That combination cannot be delivered by a single functional silo – it requires concerted horizontal effort across the business.
“What I have found historically is that the larger organisations overtly focus on technology solutions rather than looking at this from a business perspective.
“The smaller ones really don’t know what to do but they may have a trusted IT technology adviser and the smart ones are doing back-ups frequently [to offer some protection against ransomware attacks],” says Stabek.
“My mission over the last decade has been to get CFOs to engage more with CIOs and get both of them to crack the language barrier. This needs plain language and to get the CIO to talk about business models and fiscal connections.”
That could extend to business interruption, brand and reputational damage, suspension from the share market, the cost of business remediation and the risk, down the track, of class actions.
Raise cyber risk at board level
Cyber risk needs to be accounted for on the corporate risk register. “The key success factor is being able to broker the conversation so that a fiscal value can be attributed to that cyber risk,” Stabek says. Yes, it’s hard to quantify – but even a ranging shot will ensure the attention of the board, the CFO and the broader C-suite.
Wherever the cyber threat emerges, the CFO needs to assess if it makes sense to transfer some risk through cyber insurance. Payne says Macquarie University bought cyber insurance for the first time this year.
Many organisations take out cyber insurance only after they suffer an incident; 83% have no cyber insurance.
It is a relatively new insurance product, and the range of coverage is broad. For many enterprises only the CFO or senior finance and risk professionals will have the expertise to assess properly the value of cyber insurance.
A key finding of Cyber and the CFO is that: “Good cyber risk management begins with boards recognising that cybersecurity is primarily a business risk and the CFO is the best person to help quantify the financial and reputational impact of that risk and ensure that counter measures are appropriate and cost effective.
“Too many organisations approach cybersecurity from a tactical threat-based level rather than seeing it as a strategic risk. As a result, regular and incident-based reporting often fails to reach board level.”
Cybersecurity breaches are growing
According to Payne, “Anything you encourage to be done as a CFO that protects data and the financial security of your organisation has to be good in some shape or form. Companies that get this wrong will be punished in the future. If you are known as a company that is doing this right, that will have a benefit for you.”
It is crucial CFOs and finance leaders play a greater role in cybersecurity given the huge costs involved.
Research from professional services company Accenture and the Ponemon Institute, which conducts independent research on data protection and emerging information technologies, reveals that Australian organisations experienced an 18% increase in the number of security breaches in 2018 compared with the previous year. It also shows that Australian businesses bumped up annual security spending by 26% to US$6.9 billion, and that an average ransomware attack – where a hacker holds a company’s data hostage until a ransom is paid – typically costs US$89,000 to recover from.
In addition to local reporting obligations, organisations that hold any form of personal data about European citizens
- employees or customers, for example
- are subject to Europe’s General Data Protection Regulation (GDPR), which can impose enormous penalties for noncompliance that amount to 4% of revenue or €20 million.
But penalties can be the least of the financial costs.
“There is undeniable proof of the cost of data breaches – worldwide, in recent cases like [credit bureau] Equifax and [airline] Cathay Pacific. In Australia, the recent fund management company Landmark White data breach was linked to suspensions of trading and a drop in share price and profits,” says Australian Information Commissioner Angelene Falk.
What is the ‘three lines of defence’ approach?
Callum Hey CA is chair of the CA ANZ Forensic Accounting Special Interest Group for New Zealand and works as a technology risk manager for a major bank.He recommends a “three lines of defence” approach, mixing operational considerations such as systems and processes, crafting cyber-aware policy frameworks and maintaining rigorous internal audits.
Cyber protection is, he says, “about stopping bad guys getting in and, on the other side, dealing with the aftermath when they did.”
“The impact and consequence of a cybersecurity breach is inherently financial,” he adds. “If it wasn’t, fraudsters wouldn’t do it. There are only two reasons that they do it – need and greed. And both of those are financially motivated.
“I would suggest it is quite naïve to say we are going to separate cyber-related crime from the financial impact. It might be that it is not even direct financial impact in terms of hard money dollars paid out, but damage to the environment that requires remediation.
“Somewhere along the line there is a financial impact, whether it’s the cost of buying new equipment or the cost of a consultant or recovering data, business continuity, disaster recovery. One way or another there is cost there.”
Hey says businesses need to invest in educating employees, partners and customers about cyber risk.
“As much as you build these things in, there is a trade-off between your level
of control and the customer experience,” he observes.
“I have always said the surest way to stop all these attacks is to pull out the plug and lock the doors, but then you have no business. You need a balance. How much do you want to tie the environment down versus how much you allow people to engage with you?”
“I have always said the surest way to stop all these attacks is to pull out the plug and lock the doors, but then you have no business.”
Cyber-risk management frameworks
Hey favours good risk management frameworks that are able to assess the probability and impact of a cyber incident, determine where the greatest impact might be felt, the potential quantum of financial harm, and the risk of reputational or regulatory harm.
“From the CFO’s point of view, even if the impact [of a cyber incident] is deemed low in the regulatory sense, you are still going to have to pay for lawyers to answer regulators’ questions and pay for your staff who are taken off normal tasks to remediate theft, and you might still have to pay money to the scammers.”
Hey believes CFOs these days need to understand the financial correlations to cyber incidents.
“You might not have lost money but there may be other costs associated. It could be that there is reputational harm – you got into the media and maybe your sales take a hit because all of a sudden you are not seen as such a trusted stakeholder or business partner. For the CFO these have real impacts on the budget,” he warns.
Hey also stresses the role the CFO needs to play in explaining to the board why the company needs to invest in security technology, in cyber education, in cyber insurance – articulating clearly the risks being addressed.
More effort is needed by CFOs
Professor Philomena Leung CA FCCA.
And the risks are enormous warns Professor Philomena Leung CA FCCA, associate dean of international engagement at Macquarie Business School, and former head of accounting at Macquarie and Deakin universities.
She’s clear about the extent of the cyber threat to enterprise. “The threat is very big – I cannot emphasise it more,” she says. Enterprises, complex supply chains often built up from small and medium businesses, government and foreign policy, even not-for-profits all rely on the integrity of information for sensible decision-making. If that information is not available or is compromised, then risk is dramatically elevated.
“The threat is very big – I cannot emphasise it more.”
CFOs need to remain vigilant about the data presented to them for decision-making and constantly question and test its integrity. Compromised data looks like real data – but does it smell right?
From this vantage point – rather than considering cyber threats through a purely technical lens – it is clear the critical role that the CFO needs to play in terms of safeguarding the business.
“We need them to open their mindsets and approaches in looking at risks embedded in any part of the organisation that may be presenting itself as a cyber threat,” says Leung.
This extends, she says, to policies around human resources, data and the security of information being used, storage of data, and soliciting suppliers and customer credibility for the supply chain and information providers – all of which come under the purview of the CFO.
Being prepared is mandatory if businesses are to weather a cyber breach, but currently Professor Leung grades most Australian enterprises with a mere pass mark for their approach to cybersecurity – and warns that without a significant effort few can expect even a credit any time soon.
Figure 1. Crypto JackingClick image to enlarge. Source: Cyber and the CFO.
Figure 2. Denial of Service AttackClick image to enlarge. Source: Cyber and the CFO.
Figure 3. Phishing AttackClick image to enlarge. Source: Cyber and the CFO.
Figure 4. Malware Infection SymptomsClick image to enlarge. Source: Cyber and the CFO.
Figure 5. Example of Ransomware ThreatClick image to enlarge. Source: Cyber and the CFO.
Figure 6. Zero-Day Attack TimelineClick image to enlarge. Source: Cyber and the CFO.
Read more:
Why CFOs should take the lead on cyber security
Cyber and the CFO, the report produced by CA ANZ and ACCA with the Optus Macquarie University Cyber Security Hub, contains many insights to help finance leaders take the lead on cyber strategy.
Download the report, cyber security checklists and moreFeeling inspired and wanting to excel?
Update your Leadership, IT and Communications, Risk Management, or Strategy skills with our range of CPD products.
Visit our education store