Cybersecurity for CFOs: Mitigating Risk in an Era of Ever Changing Risk Landscape, Laws, Regulations and Uncertainties

What is Cyber Security?

Few years back, words like hacking, phishing emails, malware, virus, breach, data loss, bank account theft were IT terminology and not known or understood by common people.

But CFOs would agree… Last 2 years have made these words known, understood and dreaded by people all over the world.

Leaders all over the world are struggling to fight this virtual pandemic and its prevention/cure is Cybersecurity.

Cybersecurity is the body of technologies, processes, practices and people designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cybersecurity may also be referred to as information technology
security.To sum up its definition in 3 words, Cybersecurity is: Confidentiality (C), Integrity (I), Availability (A)

Do we need it?

The Answer to this question lies within your organization.

It depends on many factors like organizational risk appetite, size, budgets, threat model, potential liabilities, etc.

Sticking to our usual MO – its best to be on the side of caution. According to one study, 66% of SMBs would not survive a data breach on their own. Also, the cybercrime industry (yes, it’s an industry) has never been more profitable and impact of security breaches is not only monetary but involves reputation loss, legal issues, loss of IP, etc.

What are the Stats/Gurus saying about Cyber Crime industry to understand
the need better?

What are the Key Drivers for Cybersecurity Projects?

•Increasing Digitalisation of businesses especially by movement towards Saas, Paas, Iaas cloud models, IoT, social media, mobile thus increasing the threat landscape.
•Evolving threat landscape involving ransomware, malware, etc.
• Increase in cybersecurity awareness.
•Demand from Board/Management.
•Apprehensions around implications of various data privacy laws like GDPR and India Data Privacy Law ( when it will come into effect).
•Third party requirements like customers, partners.

What are the Key Challenges?

•Lack of C-Suite buy-in view security projects in larger perspective than any other IT project.
• Lack of aligning and integration of cybersecurity projects as part of main organizational goals.
• Very low cybersecurity budgets.
• Lack of skilled cybersecurity resources.
• Lack of user awareness and ownership for cybersecurity projects.

What Questions CFO should ask CISO?

As CFO, your go-to sources about cyber risk are typically the CISO or the
chief risk officer (CRO) and in some cases the CIO The following questions
can inform the dialogue:

• How do we identify our critical assets, associated risks, and vulnerabilities?
• Do we have a well-tested incident response and communication plan?
• Do we track what information is leaving our organization and where it is going?
• How do we know who’s really logging into our network, and from where?
• Can we limit the information we voluntarily make available to a cyber adversary?
• Do our security controls cover the entire company, including subsidiaries and affiliates? (Most often the answer will be no.)

Can CFOs mitigate risk and protect the Business

There are steps you can take to reduce the threat of a cyber-attack. In fact, the following actions can guide CFOs in instituting an enterprise-wide cybersecurity plan:
• Propose for an appointment of CISO if not already available in your organisation and place it at the right position in the Org Chart where it provides him/her accountability, accessibility, responsibility and support from key stakeholders.
• Be a key player in developing an incident response plan. An effective incident response plan should:

o Identify specific risk owners and contacts within the organization.
o Have clear decision-making guidelines and associated actions.
o Be usable, and not overly complex.
o Be tested regularly (at least once per quarter).
o Include all data loss incident types (i.e., not only intrusions).

• Outline how to help customers (including guidance, resources, etc.).
• Participate in cybersecurity training with your C-suite; collaboration and practice are key
elements of cyber resilience.
• Partner with the rest of the C-suite to ensure you agree on your organization’s crown jewels– what needs to be protected at all costs.
• Identify finance’s role in cybersecurity. Work with your CIO and the business leaders to see how finance can help create the necessary culture of security and privacy. Organizations can enhance their security stance by valuing cybersecurity and the protection of privacy and viewing. Remember: “Security begins with me.”
• Partner with your Chief Information Security Officer to understand the financial needs of the security team – including the need for staff training and professional development, not just technology solutions.
• Evaluate the effect of a cyber crisis on all parts of the business – this helps you limit your
exposure and make good decisions about protecting your crown jewels
• Review the cybersecurity budget. Many times, security budgets take a backseat to other IT or business priorities, resulting in companies being unprepared to deal with risks and attacks. An annual review of cybersecurity budgets is recommended.
• Require regular reports on security risks. These reports should be from senior management and detail privacy and security risks, based not on project status but on specific risk indicators.
• Determine your insurance needs, know your insurance policy, and whether it makes sense to pursue filing an insurance claim depending on the incident.
• Anticipate providing protection services to those affected by the incident.
• Fulfil your fiduciary duties throughout the incident response.
• Plan for shareholder, vendor, and investor communications and data management.