CFOs are now also cybersecurity custodians
29 September 2017
Although many aspects of cybersecurity are rooted in technology, a change in understanding is emerging that finance executives' expertise adds great value to an organisation’s cybersecurity strategy, as they view it from a business ownership angle, integrating risk management, ERP, compliance, reporting, valuation and business continuity.
On the occasion of October Cybersecurity Awareness Month 2017, BDO lists these 5 key levels of finance executives’ strategic engagement with cybersecurity:
- Compliance – since the financial crisis, far-reaching compliance rules have emerged. Mandatory breach reporting followed, now affecting both US and European organisations. Cybersecurity compliance oversight naturally engages the chief compliance officer, who is usually located in the finance department. In mid-market companies where roles are combined, it may be the finance manager who finds cyber compliance within his or her remit
- Valuation – on top of legal, insurance and technology costs, cyber incidents cause reputation damage. This affects valuation, jeopardising a company’s position in M&A negotiations. The finance manager engaged in deal making will leverage their cybersecurity knowledge to estimate the value of an organisation’s cyber defences, as well as the impact of a breach on overall valuation
- Partners and vendors - cyber supply chain risks require a coordinated effort to address because they touch sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions – all of which intersect inside the finance department
- Risk - risk managers manage the risk to the organisation, its employees, clients, reputation, assets and the interests of stakeholders. Converging with operational risk, cyber risk has made its way to the desk of the corporate treasurer. She or he becomes a key factor in an effective and holistic cyber risk defence programme, evaluating cyber risk exposure and ensuring adequate cyber insurance coverage for non-remediated risks
- Reporting - cybersecurity reports for the board of directors are typically jargon-filled reports. Next to this, audit committees typically interact with CFOs, controllers, accountants and auditors. A complicating factor is that responsibility for protecting digital assets is distributed over various roles within an organisation and even external service providers. In the absence of a dedicated CIO, audit committees benefit from contact with a business owner to assess cybersecurity. Finance executives make for natural cyber owners as they are capable of addressing committees in the language they are most used to: financial.
Gregory Garrett, Head of International Cybersecurity, adds: “It’s not surprising that many organisations feel overwhelmed; after all, they must now comply with several new requirements on top of the numerous industry-specific and international standards, such as ISO 27001. We are witnessing a significant crisis in the implementation of cybersecurity information governance, risk management and compliance (iGRC) requirements. The recruiting, staffing, training and retention of cybersecurity talent is a significant challenge for nearly every organization. The global shortage of experienced cybersecurity professionals is expected to increase over the next three to five years. Thus, the need for finance, risk and compliance management professionals in public and private organizations, especially small to mid-sized companies, to step up and take ownership of the growing investments required in cybersecurity.”
Cooperation is a cybersecurity cornerstone. Breaches impacting people, processes and technology, IT and finance executives have to work together getting systems back online, but also writing to regulators, investors, filing insurance claims and compensating losses.
BDO’s cybersecurity expertise can be invaluable to organisations in search of reassurance in cyber matters. As a network, the experts in our firms are known for listening carefully and delivering tailored solutions in the form of the right advisory services for any one company.