With the proliferation of cyber attacks in all industries, organizations are beginning to grasp the growing significance of cyber risk and how this is an integral part of protecting and maintaining an efficient business. Ransomware is the single biggest cyber threat to global businesses; in fact, during the first half of 2022 alone, there were a total of 236.1 million cases of ransomware, which reflects the immense risk to which companies of all sizes are exposed. Digital transformation is only increasing the risk associated with cyber failures.
Typically, the expectation has been that chief information security officers (CISOs) are solely responsible for protecting the entire asset base and ensuring that all security needs are met. However, chief financial officers (CFOs) are just as vital to managing cyber risk, which is now inherently also business risk.
Given their visibility into every business unit, CFOs are assuming new strategic roles. As such, they are tasked with guiding the growth of their companies along with developing and maintaining the digital transformation and finance function. To do so efficiently and safely, however, they must be aware of where their cyber risk lies and how to manage it.
The distributed workforce and hybrid working model have contributed to the expansion of the threat landscape, and defenders still struggle to keep pace. For leaders to properly secure their businesses and have robust systems in place, they must include financial advisors and CFOs in conversations around ransomware and cybersecurity, or risk not being adequately prepared. This is because cybersecurity now touches all aspects of a business; the responsibility to protect the organization no longer solely lies with the security teams.
Using FAIR™ (Factor Analysis of Information Risk) the international model designed to measure information security and operational risk, information security teams can quantify cyber risk in financial terms. As a result, they can convey risk to business leaders in a way they will understand and that is impactful: in specific dollar amounts. In doing so, CISOs and CFOs can collaborate more effectively as they factor cyber risk into their budgets. They must ask themselves whether they are investing in the most cost-effective ways to reduce risk and better protect the organization as a whole.
How reporting has changed
Financial regulators, too, are beginning to take cybersecurity more seriously, viewing it as more of a strategic priority. In the U.S. particularly, the SEC recently proposed amendments to its original rules around cybersecurity risk management, in which the expectation is for companies to evaluate their existing cyber policies and procedures.
According to those guidelines, businesses would have four days to report material cyber incidents, must provide more in-depth company reports, and regularly file cyber risk reports. As the CFO is responsible for disclosures of material interest, it is vital they are aware of all regulatory standards with which they must comply, as well as the risk to which they have been exposed. Cybersecurity standards and reporting requirements vary from country to country, and, in the U.S., from state to state as they continue to evolve.
Part of the new regulations also call for organizations to outline how cybersecurity is part of their business strategy and financial plan, and what role their boards play in securing the company against cyber threats. CFOs, CISOs, security teams and C-suite executives will need to actively work together to not only adhere to the new rules but ensure their business is protected from significant threats such as ransomware and other data breaches.
The importance of the CFO
The CFO is vital to determining whether certain cybersecurity incidents will become material and affect the business more seriously. They must also report on financial analysis for cyber incidents to those responsible for review and remediation, such as IT teams and the board and C-suite executives. More importantly, CFOs play a vital role in disclosing any concerning risk management policies and any oversight of cybersecurity risk that is not accounted for in original budgets.
The CFO’s expertise and input are crucial in ensuring that the organization’s cybersecurity capabilities align with the overall business strategy. This is only truly possible if a business is quantifying its cyber risk by following a risk quantification model such as the FAIR standard. By placing a monetary value on the risk to which an organization is exposed, the CFO can support C-suite executives and business leaders in making vital decisions to help secure the business.
The CFO’s insight is critical across many areas of cybersecurity including:
- Ransomware: The CFO is responsible for approving funding and advising the company on significant issues such as whether cybercriminals should receive their desired ransom. They play a pivotal role in ensuring the organization is fully prepared for all potential outcomes.
- Cyber insurance: Considering the trend that premiums are increasing while insurance coverage is decreasing, the CFO’s input on cost and value are critical. They are in the best position to understand where the risks lie and the potential financial losses that could be incurred.
- Regulatory compliance: Regulatory compliance is key to not incurring unnecessary and costly fines. Using a quantified value, CFOs can translate cyber risk into a universally understood concept and determine thresholds for when specific incidents can be considered material threats. In working together, information security teams and CFOs can determine the most cost-efficient plan to reach their compliance goals.
- Managing budgets: Collaboration with the CFO can help CISOs produce efficient spending benchmarks and evaluate how current investments are being used. Consequently, they can better allocate budgets where the risk is higher, depending on the dollar value previously calculated.
Cyber risk isn’t going to disappear soon. Ransomware is on the rise, as are other cyber threats, and cyber criminals are continuously developing new tactics, which creates more risk. It is vital that organizations adequately prepare themselves by taking all necessary measures to secure their company from any kind of breach, including the involvement of the CFO in vital conversations and decision-making processes.
To sufficiently prepare for ransomware and other large-scale cyber attacks, C-suite executives must consider budgets not only for compliance, but also for their risk appetite. In this way, they will be able to better protect themselves, while maximizing efficiency of budget spend. They must actively collaborate with information security teams as well as chief financial officers to be prepared for today’s cyber risk landscape.
By Dave Sutor, CFO at RiskLens