Americas CFO Hot Topics


  • Share

Cybersecurity demands the attention of more than just the CIO, because it’s more than “just a technology issue.” Your company is not impervious to attack – it probably already has been hacked. Cybersecurity poses broad risks, and countering it requires a broad perspective.

Why should CFOs care?

CFOs are in the unique position to help their organizations understand what most needs protecting. Obviously you need to safeguard money, business deals and trade secrets. But some targets – “trophies” in the eyes of adversaries – are less obvious.

An executive’s inbox for instance. Items not locked up in the trophy case may already be locked in a hacker’s crosshairs.

CFOs should concern themselves with:

  1. Understanding that you’re already compromised
  2. Taking a risk-based approach to protecting your key assets
  3. Listening for and resolving compromises ASAP
  4. Implementing and adhering to a forensically sound plan that responds to the events of cyber breaches

Cybersecurity – find out more

EY - CFOs and cybersecurity

A CFO's role to detect and mitigate cyber breaches.
[See a transcript of this video]

Think like a bad guy

To protect your trophies, define them. If you were a nation-state, rival company or hacktivist, what would you love to get your hands on? Now convey that threat to your organization and ensure everyone is listening for cyber breaches. The more awareness throughout your organization, the better everyone can protect it.

That awareness works both ways: as the CFO, be aware of how your organization works. For companies that have survived cyber-attacks, executives commonly regret not knowing more about internal business workings. Had they, they could have better protected assets, adding complications and controls where needed.

Once breached, shore up the defenses and ensure the same cyber-attack isn’t repeated. CFOs should ensure cyber-issues are tracked and patterns sought. When something comes up on the radar, have the right people positioned for involvement – HR, finance, systems, IT, training – whoever plays a part in mitigating cyber threats.

Look within your walls

Consider this: most organizations are already compromised. Start there, and center your cyber-defenses on that fact. Now consider this: threats will always exist and constantly evolve.

Cyberthreats aren’t a fiscal cliff to avoid or a deficit to dig your way out of, they come from where you’d least expect – a maverick insider perhaps. With 25% of employees having inappropriate security access, the temptation exists. Even with an acquired company – advantageous on the surface – you’re inheriting its cyber-risks.

While everyone takes a place along the wall, it’s up to the CFO and the board to lead the defensive. Leadership must set the risk profile and determine the degree of risk that the organization is willing to absorb.

Build cybersecurity and appropriate, effective forensic procedures to help identify potential cyber fraud into the organization from the beginning.

View our latest resources on cybersecurity services