Data privacy and security are a key focus for CFOs, says a 2019 survey by management consulting firm Protiviti. The survey, which polled 817 CFOs and finance leaders worldwide, reported that 84% of respondents rated data privacy/security as their top priority overall and second-highest budget item.
Those concerns have not faded with time either. In my opinion, they have instead become more nuanced and taken on added complexity with the enduring specter of COVID, regional conflict, and regulatory uncertainty. PwC confirms this view in its CFO 2022 Agenda, which projects that CFOs will continue to devote time and resources to cybersecurity and data privacy in their drive to build trust with stakeholders in a turbulent sector.
“Company-wide efforts – particularly regarding transparency, assurance, accounting and reporting insights – are now considered to be within the CFO’s expanding domain of accountability,” says PwC. “Areas like cybersecurity and data privacy need funding to provide preemptive action.” But the CFO’s work is pushing even those bounds of duty, as they must not only procure and channel the needed funds to IT and data security but also be actively involved in procuring cyber insurance to help meet the risk.
Key risk factors for CFOs
In a finance industry increasingly ruled by electronic data, it’s understandable that keeping customer information and internal corporate processes safe is top of mind. And considering the now commonplace incidence of expensive data breaches and security infrastructure failures, the stakes are higher than ever. Even a single breach can compromise the data of millions of customers, exposing companies to significant financial losses, severe brand damage, and expensive litigation.
For context, the average cost of a data breach was $3.79 million in 2015. But as of 2021, a data breach costs over $4.2 million, says IBM’s Security Cost of a Data Breach Report. And the longer the breach stays uncontained, the more expensive it gets, costing companies $1.26 million more if it takes 200 days or more to contain.
While the problem seems clear – companies cannot afford laxity when it concerns cybersecurity – any potential solution suffers from multiple complexities. For instance, how people interact with data is a serious risk factor for finance organizations. Data can move from permanent drives to the cloud and back easily, often with the aid of “shadow IT” or unsanctioned services. And the way that people use these services changes often, enhancing the risk that IT departments and CFOs must grapple with, both externally as it concerns their customers and internally in relation to staff.
Additionally, CFOs themselves are often targets of cyberattacks. As individuals who handle sensitive financial information with a high access level, CFOs are ideal candidates for Business Email Compromise (BEC) schemes. A threat actor may masquerade as a legitimate vendor to hijack transactions, divert funds, or steal critical financial information.
Reducing risk for CFOs
The risk for CFOs is clear, but how do they mitigate cybersecurity risk and implement solid programs that offer frontline protection? I believe the first step is knowledge-based.
As Protiviti states in its 2018 survey, “in all likelihood, most finance leaders lack sufficient understanding of the technical aspects and requirements of appropriate security and privacy measures, resulting in a fear of the unknown and substantial reliance on the effectiveness of others.”
Therefore, plugging these knowledge gaps will be indispensable to formulating and executing the required approaches to meeting cyber risk. A low-hanging fruit for CFOs in this regard is to pursue active collaboration with IT and security teams “to articulate and implement specific controls for and protections against cyber-risk.”
