In the age of WFH and in the cloud, a chief financial officer’s job must include cybersecurity. In 2019, a cyber attack can cost a U.S. company up to $8.19 million to fix according to the Ponemon Institute’s latest Cost of a Data Breach Report.
A CFO hears $8 million in risk and instinctively thinks about how much it will cost to shield the company from cyber attacks. You want a CFO on the job of cybersecurity.
Threats to your company’s privileged information and customer data are everywhere.
A breach in data security can be digital (phishing), or physical (theft of back up copies), external (malware), internal (high-level privileges), intentional (hacking or leaking), or accidental (improper disposal of records).
According to recent reporting, cyber hacking is the leading cause (51%) of a breach.
So, why is cybersecurity a part of the chief financial officer’s job?
Thanks for asking. We got caught up on our cybersecurity reading (while working from home, of course) and wanted to share a few key takeaways with you.
Here are our top 3 business reasons to make cybersecurity a part of your CFO’s job description today.
Reason #1: Cybersecurity is mission-critical
In this digital age, cybersecurity is a cost of doing business. It is critical how well you manage that cost.
You may have heard about the latest breach at GoDaddy that affected 28,000 customers. An ‘unauthorized user’ gained access to the affected customer’s hosting account. The breach resulted in GoDaddy providing thousands of customers with a year of website security and malware removal free of charge. GoDaddy has been down this road before. This most recent breach was costly but not devastating.
A breakdown in security does not impact all companies equally. Healthcare, financial, and pharmaceutical sector companies suffer the most from a breach. For some, information security breakdowns are devastating.
The American Medical Collection Agency (AMCA), which handled collection of delinquent accounts for Quest Diagnostics, LabCorp, and Carecentrix, had an 8-month long data breach that exposed 20 million individual’s personal identification and credit card information. The cost to inform customers of the issue, bring in consultants and additional IT staff to fix the problem, and the employee turnover led to AMCA filing for Chapter 11 bankruptcy.
A CFO’s role is to protect your company from all types of risk through sound financial management. A CFO that aligns cybersecurity with your company’s business strategy will enable your talent to innovate and your customers can enjoy your products and services with confidence.
There is really no time like the present to add cybersecurity to your CFO’s job description. Risk Based Security (RBS) named 2019 the worst year in history for breaches.
RBS reported that data breaches increased by 33% between 2018 and 2019, exposing 7.9 billion records. Those records include customer’s social security numbers, social media accounts, medical records, passport identifiers, and more.
Reason #2: Regulation is a CFO’s middle name
Google “international cyber attacks” and get ready to be sucked into a world of high stakes cybercrime impacting hundreds of millions of customers, nations, even the world wide web itself. It is the kind of wild west that regulators love to tame.
For years, financial institutions have been operating under the Federal Trade Commission’s Security Rule of the Gramm-Leach-Bliley (GLB) Act and other rules on privacy and data protection. However, other industries that have been steadily expanding their digital operations (and increasing risks) are still not subject to the same rules.
Government entities (i.e. Homeland Security, NIST) and regulators across industries (i.e. SEC, NAIC) are working hard to stay ahead of these malevolent actors outside and within companies.
Take the Cybersecurity Disclosure Act, which states the SEC would require publicly traded companies to disclose the existence or lack of cybersecurity expertise on the board in annual reports or annual proxy statements. This (to date) unadopted legislation indicates that cybersecurity oversight at the board level of any company is reaching a tipping point. Should it become law, a CFO would be responsible for educating the board on cybersecurity.
As more and more people, governments, and markets are impacted by cyber attacks, information security legislation and guidance for corporate cybersecurity will have to change and the companies will have to follow. Wouldn’t you rather be ahead?
A CFO with cybersecurity in their job description will need a deeper understanding of the risks inherent in a breach, how to respond, and how to recover from any data security issue.
A CFO with a defined role in cybersecurity at your company will be in a stronger position to advise the Board on the best measures to take, hire the best manager of your company’s data security, and marshal resources to scale privacy and data protection measures that make business sense and meet regulations.
Get your company ready for any information security future and put cybersecurity in your CFO’s job description.
Reason #3: Cybersecurity is a cost center
A CFO is naturally concerned about cost centers that are not reaching operational efficiency. One sure way to eat up your cost savings is the cost of cleaning up a data breach.
The IBM/Ponem 2019 Cost of a Data Breach report found that it takes companies 279 days to find and contain a data breach. Recall AMCA’s breach lasted 8 months. If a company can reduce the amount of time to detect and resolve data breaches, it will significantly reduce costs.
The 2019 IBM/Ponem report had suggestions on how to reduce the amount of time to resolve an incident.
- Employing encryption that masks private information and a cyber security response team can reduce the cost of a single incident by $720,000.
- Companies that have a response team and test their performance save on average $1.23 million per incident.
- Security automation technologies that can perform a number of tasks to detect, isolate, and resolve attacks automatically (without human error) and across systems reduce costs by up to 50% or on average $2.65 million.
A CFO’s role in a company is changing. Measuring performance is still central to a CFO’s value to a company.
Cybersecurity is now one of 15 areas that report to a CFO according to the 2018 McKinsey Global Survey. When a CFO is charged with cybersecurity they will be in a strategic position to find synergies across the tech stack, staff, and processes across the organization to protect company assets, customer trust, and keep costs where they need to be.
tempCFO saw the cloud accounting rolling in from far away and we have stayed true to our mission of providing valuable financial expertise as a business partner for clients in that cloud successfully and without incident. Get in touch to learn more about how we can help you.