Why CFOs should take the lead on cyber security

Many CFOs and finance leaders believe cyber security is someone else’s problem, such as operations or IT.

A new report, Cyber and the CFO, by the ACCA and CA ANZ, Macquarie University and Optus has found that 54% of members surveyed were either not aware of whether their organisation had suffered an attack or thought they had not been.

And in just 8% of organisations, the CFO was responsible for the strategic direction of cyber security.

But at the same time, the cost of cyber-crime is surging. Research company Cybersecurity Ventures estimates the annual cost of cybercrime to the global economy will double from US$3 trillion in 2015 to a staggering $US6 trillion in 2021.

That makes cybercrime more lucrative than the global trade in all of the major illegal drugs.

Cyber criminals are increasing targeting companies and organisations, leaving a trial of financial and reputational damage, and many organisations pinpoint cybercrime as one of their most significant threats.

As outlined in the report, if organisations are to successfully manage this threat, there are key reasons for the CFO to step up and play a leading, if not the leading, role in cyber security.

1. Cybercrime is finance

The first reason is that cybercrime is a finance issue.

In its 2018 Data Breach Investigations Report, US telecommunications company Verizon suggested that of the more than 53,000 security incidents it had analysed, 76% of the breaches had been financially motivated.

The damage must also ultimately be measured in financial terms. Only the CFO can quantify and manage the risk of a cyberattack. It is only by quantifying both the cyber risk and the organisation’s risk appetite that the chief executive officer and board can ensure resources are deployed effectively.

The CFO has the skills and the oversight to take a broader and longer-term view of the financial impact of an attack. They can look beyond the immediate issues of data loss and operational disturbance to reputational and regulatory losses and the effect on shareholder value.

2. Data custodians

The CFO is one of an organisation’s key custodians of data. They increasingly assess its value and manage its lifecycle. They are also responsible for some of an organisation’s most sensitive and valuable data, so they have an important role in identifying information that is vital to protect.

3. Highly trusted

The CFO and the finance department are also highly trusted. They can use that trust to promote cyber security within their organisation.

The CFO can discuss cyber security with the board, the wider organisation and outside stakeholders. They can position it as a business and commercial risk that needs to be mitigated.

What’s more, finance also has the skills to oversee audit, inventory, testing and compliance, and will take the lead in assessing and underwriting cyber insurance.

4. In the front line of attack

Finally, the CFO will be on the front line if cyber criminals attack. The target is most often financial data, but also the finance department and its personnel.

After the attack, CFOs will be expected to accurately assess the damage, lead internal reactions, and communicate with stakeholders.

‘Cyber and the CFO’ report

Cyber security is complex, with daunting technology and jargon, and while CFOs don’t need to become technical experts they have a vital leadership role.

The Cyber and the CFO report provides CFOs with a deeper understanding of the cybercrime challenge their organisations face and a playbook on how they can take the lead.

If CFOs can lead around cyber security, their organisations will be better placed to combat cybercrime and they will add even more value by using their skills in yet another key area.

‘Cyber risk - a business perspective checklist’

How do organisations adopt a business perspective on cyber security?

Based on the Cyber and the CFO report, we have compiled a Cyber Security Checklist that enables boards, leaders and organisations to manoeuvre the risks in a logical and consistent manner.