The Chief Financial Officer
A Chief Financial Officer (CFO) recently enrolled in both CyberVista’s latest Board and Executive training seminar and in CyberVista’s Certified Information Systems Security Professional (CISSP®) certification preparation course. Why? Because a CFO’s title doesn’t reflect all of his/her responsibilities. CFOs are charged with more than just finance. CFOs’ purview includes risk management, human resources, and board relationships. But what about security? Should a CFO serve a security function? As our CFO student recognized, yes. Yes. A thousand times, yes.
The CFO is well suited to understand and manage financial risk from an enterprise risk management (ERM) perspective. Evaluating cybersecurity from an ERM perspective is a leading practice. The CFO is best positioned to bring business context to the cyber conversation. Some of the most sensitive data an organization holds – its revenues, investments, acquisition targets, and financial planning – falls under CFO management. If this sensitive data were compromised, then the consequences would be potentially quite damaging. Further, the costs of a major cyber incident can be overwhelming and unexpected. As an example, financial losses incurred from payment system downtime, large remediation costs, and loss of customer loyalty can all eat away at the bottom line of the business. CFOs need to understand those potential outcomes and help plan for mitigating solutions.
For perspective, according to a 2016 study from the Ponemon Institute, the average cost of a data breach in the U.S. exceeded $7 million. The fallout is costly too. The average revenue lost for a business following a data breach is nearly $4 million. Cybersecurity should be a CFO priority.
M&A Due Diligence
Is your company growing via acquisition or even considering acquiring an existing company? Maybe your organization is being acquired. Are you prepared to speak specifically to the security of your data, cybersecurity processes, and procedures, or to those of the new partner organization? In any case, CFOs play a leading role in any M&A process and cybersecurity must be a consideration. During the due diligence process, a CFO should be thinking about cybersecurity as a key business risk. Important questions to ask include:
- What is the threat landscape of our new partner organization?
- How will this acquisition affect my company’s attack surface?
- How does this new organization manage data?
- Who are the third parties associated with this organization and how might their attack surface affect ours?
CFO’s Cybersecurity Checklist
The job of a CFO isn’t all dollars and cents—it’s also about sense. The sense to make important risk decisions with the right inputs and data. A cybersecurity checklist will help put you on the path. Where are you and your organization on the spectrum of readiness?
▢ Participate in cybersecurity training with your C-suite; collaboration and practice are key elements of cyber resilience.
▢ Partner with the rest of the C-suite to ensure you agree on your organization’s crown jewels– what needs to be protected at all costs.
▢ Partner with your Chief Information Security Officer to understand the financial needs of the security team – including the need for staff training and professional development, not just technology solutions.
▢ Evaluate the effect of a cyber crisis on all parts of the business – this helps you limit your exposure and make good decisions about protecting your crown jewels
▢ Be prepared and ensure you are part of the planning and practice of an incident response plan.
▢ Determine your insurance needs, know your insurance policy, and whether it makes sense to pursue filing an insurance claim depending on the incident.
▢ Anticipate providing protection services to those affected by the incident.
▢ Fulfill your fiduciary duties throughout the incident response.
▢ Plan for shareholder, vendor, and investor communications and data management.
For the CFO, organizational cybersecurity resiliency starts with financial and organizational planning, which includes partnering with the rest of the C-suite. Every executive needs to participate in training together. Cybersecurity is an enterprise risk and it takes enterprise engagement that starts at the top.
If you’re a CFO and want to learn how you can lead and help ensure the cyber resilience of your organization, join us at our next Cyber Resolve seminar in NYC on May 1. Prefer private training for your executive team or board? Contact us. We do that, too.