The traditional role of a Chief Financial Officer (CFO) used to be as it was outlined in every dictionary or website you could reference – a senior executive with responsibility for the financial affairs of a company. While these definitions remain largely unchanged, the reality today is quite different.
As technology becomes increasingly integrated into the day-to-day operations of an organisation, executives around the world have been forced to confront the reality of the growing threat landscape and extremely sophisticated cyberattacks.
Eyeball grabbing headlines outlining devastating cyberattacks and data breaches have now galvanised conversations by C-level executives and boards of directors, with many asking whether their organisation is protected from cyberattacks or what can be done to ensure that what they’ve read and heard about never happens to their organisation.
According to PwC’s 2023 Global Digital Trust Insights report, two-thirds of the executives surveyed considered cybercrime their most significant threat in the coming year. What all this ultimately means is that the role of the CFO has now evolved to include a greater focus on cybersecurity and risk management.
Zeroing in on CFOs, the report outlined that the most devastating consequences when a breach (other than a data breach) occurred were: downtime or disruptions; damage to service and product quality, and lost contracts and business opportunities.
This is illustrated by the recent MGM cyber attack [September 2023] with some estimating the Las Vegas resort could have lost anywhere between $4.2 and $8.4m a day while its computer systems remained offline. The company also saw pressure on its stock price as it lost over $1bn in market capitalisation following disclosure of the breach and Moody’s, the rating agency for its public debt, warned the attack could lower MGM’s credit rating.
Specifically, Moody’s indicated the attack “highlights key risks” to its operations, because they have a heavy reliance on technology. As a result CFOs – as per the PwC report – are keen to dedicate resources to improve their organisation’s cybersecurity; the report noted that 39 percent of its respondents were looking towards more cybersecurity technology solutions in the next 12 months. 36 percent also said they planned to upskill and hire cyber talent in the same time frame.
Internal collaboration
Stepping up cybersecurity organisational readiness begins with a greater degree of internal communications. The best way a CFO can begin their journey to identify and mitigate financial risk is by working closely with the Chief Information Security Officer (CISO).
Working together, the CFO will be able to better comprehend the organisation’s existing security risks, all the financial costs associated with stepping up protection and, ultimately, can craft a comprehensive plan to secure the organisation from cyber threats (whilst potentially streamlining processes and boosting productivity).
Greater collaboration between C-level executives and security teams has to improve around the world, and the same can be said for CFOs and even CEOs with regards to getting personally involved with their organisation’s cybersecurity.
The PWC report outlined six key ways that CEOs can get involved with their firm’s cybersecurity matters, however only 4 percent of the respondents said they planned to get involved in all six. This indicates there may still be a gap in understanding just how much damage cyberattacks could have on a firm’s business and its reputation.
When C-level executives such as CFOs become active participants in cybersecurity matters, the rest of the C-suite can then mitigate the risk of revenue loss by investing in the appropriate cybersecurity solutions and exposure programmes.
Collaboration between CFOs and CISOs can be a game changer in terms of rallying resources, while having a more accurate view of the organisation’s current level of cyber risk. This is particularly important as market headwinds and uncertainties put pressure on an organisation’s budgets, which in turn means that investments have to be strategic and have high impact.
While CISOs and CFOs often speak different languages, the universal common language both understand is numbers. Both should work together to define a set of objective measurements that will help quantify any risks the business faces – such as the intersection of vulnerabilities and threats faced, against asset criticality and the impact to the organisation if negatively impacted. This helps create better connective tissue between CISOs and CFOs to better align goals and required resourcing to reduce the business risk faced..
Taking this into account, and with pressure on cash flow, rather than investing in multiple point solutions that focus on individual security aspects and potentially creating data silos, decision makers should opt for a unified exposure management platform that ticks all the necessary boxes.
Cyber risk is, at its core, a large data problem that can only be solved by connecting siloed security functions and data, connecting the correlation between vulnerabilities that exist, the threats faced, privileged identities against the criticality of assets/systems.
This intelligence will identify the potential attack paths that exist within the infrastructure – be it cloud configurations, web applications, operational technology infrastructure and everything in between, against the costs to the business should they be negatively impacted.
Building a symbiotic working relationship
Since cyber risk and financial risk are interconnected elements, it’s obvious CFOs play a critical role in helping their organisations effectively manage overall risk. As legislation focused on personal data protection is increasingly put in place by governments around the globe, companies have two risks to prepare for – the cost of the data breach itself, and the penalty and consequences they may face from governments, shareholders and other stakeholders in the aftermath of a data breach. And the stakes have never been higher!
As a result, CFOs should work closely with other individuals within the organisation who also have a vested interest in managing risk including CIOs and CISOs.
It’s in a CFO’s best interest to look at cyber risk as they would economic or environmental exposures – a tangible metric of risk. The good news is an organisation’s exposure gap can be bridged by consistently studying reports that explain the firm’s risk reduction journey, and by following and implementing operational risk best practices.
Considering the dynamic threat landscape and the business and financial impacts a cyber incident can cause, CFOs must take an active position in their organisation’s preparedness and response to reduce the cyber risk posed by threat actors and their tools of choice.