Date posted: 13/08/2019 8 min read

Cyber and the CFO

Cyberattacks pose a huge financial risk, but are CFOs stepping up as they should to improve cyber resilience?

In Brief

  • A CAANZ and ACCA survey has highlighted worrying gaps in organisational approaches to cybersecurity.
  • Many CFOs are aware of the risk of cyberattacks but lack knowledge around cybersecurity issues.
  • Cyberattacks are a business risk that cannot be left to the IT department alone.

Whenever business and finance leaders are asked what’s keeping them awake at night, cybersecurity is near the top of the list. But is that translating into CFOs taking charge?

Cyber risk has serious financial implications yet, too often, the responsibility for an organisation’s cyber resilience is relegated to the IT department. That needs to change. CFOs need to take a broader view of cybersecurity as a commercial and business-wide risk, as well as a financial one.

Chartered Accountants Australia and New Zealand (CA ANZ), together with our global alliance partner the Association of Chartered Certified Accountants
(ACCA), recently partnered with the Optus Macquarie University Cyber Security Hub to survey CFOs and senior finance leaders about their approach to managing cyber risk. Some of the findings give reason for pause.

Survey highlights gaps in cybersecurity responsibility

More than half (55%) of Australian and New Zealand survey respondents identified cybersecurity as a ‘high’ or ‘very high’ risk to their organisations. Yet 10% didn’t know who within their organisation had day-to-day responsibility at an operational level for cybersecurity.

More than 50% of those surveyed described their personal level of knowledge of cyber risks as ‘average’, which for something classified as a ‘high’ or ‘very high’ risk is interesting. I doubt there would be such a low level of confidence among accountants and finance leaders with other risks, particularly financial risks.

The survey also found that most organisations rely on making sure access to sensitive data is restricted, but that their data is not encrypted. In Australia and New Zealand, only about 35% of respondents ensured their data was systematically encrypted.

About 40% of Australian and New Zealand respondents have been the subject of a cyberattack in the past year, with only 15% reporting they had never been attacked. Small to medium enterprises were more likely than larger organisations to have been subject to an attack. Phishing, malware and data theft are all recognised threats, while ransomware is an emerging form of attack.

There have been many well-documented cyber breaches that came via an organisation’s supply chain. But just 35% of survey respondents conducted assessments of their supply chain either regularly, ad-hoc or when a new supplier contract is supplied. That means a lot of organisations are not paying enough attention to their supply chains.

So what needs to happen to deal with cyberattacks?

Given our message that it’s a matter of when and not if your business will be targeted, many organisations have a lot of gaps in their cyber resilience.

“Given our message that it’s a matter of when and not if your business will be targeted, many organisations have a lot of gaps in their cyber resilience.”
Geraldine Magarey FCA

Cyberattacks are a business and operational risk that cannot be left to IT alone. The risk includes brand and reputational damage, and CFOs need to ensure there is appropriate governance and risk management in place.

Many people forget that a threat may come from internal sources, and those internal risks are more severe than people perceive.

People should also understand how critical data is to their organisations. They need to find, classify and protect their sensitive data. They need to understand where their data is stored, how it is protected and how it is assured.

Finally, supply chains are often misunderstood. This is a big area of importance. Cyber risk is a key component of an integrated supply chain. It is important to evaluate and control risks in the supply chain, and monitor and control devices connected to the corporate network, especially smart devices.

Read more:

Cyber and the CFO, report produced by CA ANZ and ACCA with the Optus Macquarie University Cyber Security Hub.

Why CFOs should take the lead on cybersecurity

Cyber and the CFO, the report produced by CA ANZ and ACCA with the Optus Macquarie University Cyber Security Hub, contains many insights to help finance leaders take the lead on cyber strategy.

Find out more about Cyber and the CFO