Cybersecurity and CFOs

  • Share
  • Cybersecurity threats continue to escalate

    The growing number, frequency and impact of cyber attacks have propelled cybersecurity to the top of the CFO and board agendas in recent months. A new normal has been established.

    Today’s cybercriminals are well-funded, organized structures with the patience to infiltrate a company’s systems over time to obtain the information they desire.

    The infiltrators have gone beyond focusing on credit card details. They have long-term strategies, which often mean they are targeting to manipulate a company’s share price, alter a company’s financial data or undertake or interfere with large-scale financial transactions.

    CFOs fully understand that cyber threats are real. They have seen the financial and reputational damage victims have faced. And as the world becomes increasingly digital, the number and severity of these threats will only intensify.

    Cybersecurity is fundamentally about protecting an organization’s shareholder value. CFOs must play a much greater role.

  • The need for a proactive, board-level approach

    The first step toward protecting an organization is to realize that attacks are inevitable. In our 2014 Global Information Security Survey, we discovered that most organizations had only a moderate level of cybersecurity maturity. Instead of anticipating threats and preparing for them, organizations continue to react only when an attack has been detected.

    Cybersecurity should no longer be viewed as an IT-only issue. While the CIO continues to play a crucial role, in the more mature cybersecurity functions, the CFO and board lead discussions on cyber security as a major exposure in the organization’s overall risk management framework. (Read how the CFO and CIO can partner to address cybersecurity.)

  • New avenues of entry

    As businesses become more digital, new avenues of access for cyber criminals to organizations’ assets are being created. Operational technology, for example, represents a major risk that is too often overlooked at the board level.

    Operational technology is not traditional IT software and hardware. It is the systems that underpin operations in many companies, such as those that deliver electricity, move oil and gas or operate assembly lines in some industries.

    These systems often aren’t managed by IT. However, as more devices become connected, the “Internet of Things” has become a major source of risk. The CFO needs to weave operational technology, and other emerging avenues of entry, into the company’s risk management processes.

  • Investing for security

    Our information security survey shows that the amount of investment CFOs are making is not keeping pace with the increasing sophistication of the attacks. Often, CFOs who recognize the risk of inadequate cybersecurity struggle to understand how much capital to allocate, or which investments to prioritize.

    The least mature cybersecurity functions simply allocate a certain percentage of the company’s IT spend to cybersecurity. However, this approach nearly always leaves key assets vulnerable.

    A better approach is to grasp the gravity of the situation – and the speed at which it happens – and work with the board and IT function to define a mature cybersecurity function that protects the company’s key assets and can evolve with time. The CFO should then invest to fill the gap between where the company is now and where it should be. Moving forward, the focus should shift from detection to prevention.

    Creating a mature cybersecurity function starts with a detailed understanding of the organization’s key assets. The CFO needs to be part of the team that decides what those primary assets – or crown jewels – are, recognizing that they will change over time.

    Several questions will help organizations identify their primary assets:

    • What assets would hurt the organization’s day-to-day operations if lost?
    • What assets would result in a loss of consumer confidence if breached?
    • What assets would cause grave reputational harm and dilute shareholder value, if compromised?
  • The CFO’s course to a mature cybersecurity function

    To help create an effective road map to a mature cybersecurity function, CFOs can ask several key questions right now:

    • What is our overall risk tolerance?
    • What is my organization’s current exposure to cyber risk?
    • How does our preparedness compare to our competitors?
    • Is our cyber risk exposure consistent with our risk tolerance?
    • Are there adequate processes in place to prevent, detect, contain and respond to a cyber attack?
    • Do we have a plan for how we will respond to a cyber attack?
    • Have we tested the plan thoroughly so there is no time delay when the breach occurs?

    In today’s 24/7 media cycle, global organizations need a thoroughly tested cyber attack plan that prepares the company to respond no matter where or when the breach occurs. Communication to the media and investors is absolutely critical in the wake of a breach, because it may sway the media and the market’s response, which can impact share price.

    Having a well-planned response as part of the cybersecurity strategy helps give peace of mind to investors and the board of directors and helps the company better control the outcome.

    CFOs need to collaborate with their CIO, the board and cybersecurity experts to be prepared for the first signs of a breach. The plan should include:

    • Regulatory relations
    • Media relations
    • Investor relations
    • IT
    • Risk
    • C-suite
  • Banking and capital markets: prime targets

    All sectors are at risk from cyber attacks. Banking and capital markets, for example, are exposed for two reasons:

    1. Their most precious assets are mostly electronic.
    2. They are information organizations with huge volumes of transactions and communications that are vulnerable to infiltration.

    Cybersecurity for banking and capital markets

    EY - Cybersecurity for banking and capital markets

    Banking and capital markets are among the most exposed to cyber risk. [See a transcript of this video]  

    Banking is a highly regulated industry. The requirements relating to how companies protect the data in their possession is forever tightening in the name of security. That means that in addition to the inherent financial and reputational risks, there are criminal risks for noncompliance.

    The good news is that financial services CFOs are ahead of their peers in other industries when it comes to managing who has access to sensitive data. But the volume of transactions and global reach of today’s consumers and suppliers also makes it easy for cybercriminals to hide the evidence of their attacks. To create and continually update a cybersecurity system that is more sophisticated than the ones the hackers are using, management needs to fully understand the bank’s workflow through the back, middle and front offices.

    While banking and capital markets will always be vulnerable to attacks, acquisitions can render them particularly vulnerable. The only way companies in these industries can identify threats before the damage exposed during an acquisition is too great is by applying data analytics that detect anomalies in the way employees, suppliers and customers behave.

View our latest resources on cybersecurity

EY - Global Information Security Survey 2014 infographic