Growth in the number and sophistication of cyberattacks on companies has meant that security breaches are becoming an everyday event rather than a worst-case scenario.
As a result, the remit of the CFO has expanded, requiring increased assessment and mitigation of risks to their companies.
“In the past, the finance function was focused on financials,” says Tim Wakeford, VP financials product strategy at Workday. “What we are seeing now is growing recognition among CFOs of the impact that security breaches can have on a company’s financials.
“There has also been an increase in the risk velocity of cybersecurity breaches. CFOs need to be tuned into the potential impact of these adverse effects.”
He points out that a CFOs remit should now include scenario planning to consider what the worst-case scenario would be in the event of a cyberattack, and what impact this will have on the company’s financial performance.
“The impact of security breaches also needs to be mitigated both internally and externally,” he says. “CFOs need to consider how a breach is communicated externally to other parties such as shareholders as these events can impact a company’s share price.”
Rising risk of cyberattacks
The increased frequency of cyberattacks on companies amid the pandemic is well documented.
Mentions of “cybersecurity” in company filings grew 33 percent in H1 2021 compared to the same period last year, according to a recent report by data and analytics company GlobalData.
The report identified malware (malicious software), ransomware (blocking access to extract money from a company) and data breaches as some of the top keywords in cybersecurity discussions in 2021 earnings transcripts.
Meanwhile, cloud vulnerabilities (65 percent), denial of service attacks, which aim to shut down machines or networks (60 percent), phishing and social engineering attacks geared at stealing data (52 percent) and malicious insider threats (45 percent) were all identified as security threats by nearly 2,000 global companies surveyed by the Ponemon Institute.
Download our Whitepapers
Its survey also found that 50 percent of businesses worldwide have experienced recurring attacks from the same hackers.
Financial directors, therefore, must take more steps to ensure their companies have “a good control environment”, according to Wakeford.
“CFOs are not involved in cybersecurity training nor organising and checking the IT but they need to put checks and controls in place to ensure the reporting on and mitigation of risks.
“When a breach occurs, they should consider internally how the breach happened, how it was dealt with and take steps to make sure it does not happen again – preventative measures need to be put in place.”
Guy Melamed, CFO and COO at Varonis, a cybersecurity company, argues that CFOs must play a more active role in assessing and managing risk levels and supporting preventative actions. This entails having regular conversations with HR, legal and security teams about cybersecurity.
“Many of the security risks companies face today are more complex and difficult to manage because companies hold much more data than they did 15-20 years ago,” he says.
“It is unfair to expect CFOs to understand the entire cybersecurity space, which is complex and evolving, but they need to keep asking the right questions within their organisations.
According to Melamed, there is so much data sitting within organisations today and it should not be open to everyone in the company.
Identifying who has access to what is the type of question CFOs should be asking, he says.
“Cyberattacks can be very harmful to a company, but if data is leaked that can cause significant damage too.”
Melamed believes that CFOs must also focus on guarding against cyberattacks on the finance department specifically because it handles huge amounts of sensitive data. Team members, therefore, must be aware of how they share information, the need to protect files and how to handle emails from unknown senders.
“CFOs need to track down who in their organisation has access to sensitive data, such as pre-published financial statements,” he adds. Wakeford also believes that many companies still experience difficulties in assessing and controlling access to critical data.
“Data governance is often over-looked,” he says. “IT security hygiene is particularly important for the finance function.”
The role of CFOs in cybersecurity
John Tunison, CFO at Trussway, a leading US-based wood frame manufacturing company, says he plays an active role in the company’s cybersecurity strategy.
“About 40-50 years ago, it used to be the case that CFOs were primarily responsible for accounting and finance, but today a number of other different functions have been meshed together,” he says.
“I think that today, some CFOs are more conversant in, and more knowledgeable about, cybersecurity than others but it is unlikely that a CFO will be able to tick through the entire cybersecurity list. The CFO and IT department need to work together.”
The rise in remote working has increased companies’ exposure to cyberattacks by creating more potential points through which a security breach can take place, says Tunison.
“As a result of the pandemic, far more people started accessing systems from less secure environments,” he says. “There was a massive increase in phishing attacks, and we ourselves saw a 200 percent increase in emails which need to be filtered and checked out for phishing.
“Within the finance department, we have a comprehensive accounting and finance policy, which provides key controls and this is constantly evolving documentation.”
Melamed also notes that remote working has increased the options open to cyber criminals.
“I recently heard the CFO of a large company with 15,000 employees discuss how before the pandemic, he was dealing with five offices globally, which meant five gates to protect,” he says.
“During the pandemic, this became 15,000 gates that had to be protected. This situation will continue over the next five years as companies move towards a hybrid working environment, so the risk is here to stay.”