The recent barrage of cyberattacks on companies such as Target, Sony and Anthem is causing gray hair for many CFOs. Most have IT as a direct report, which makes them responsible for digital risk strategy company-wide. In addition to safeguarding financial data, they must assess and manage risks to a wide range of other important information, such as intellectual property, customer data and employee records.
Mitigating this risk is a difficult task, and the stakes are high. The financial consequences of inadequate security can be huge. The average annualized cost of cybercrime for U.S. companies was $12.7 million in 2014, up from $11.6 million the year before, according to the Ponemon Institute. Reputations also can be damaged. Sony recently announced that co-chairman Amy Pascal is stepping down later this year, in the wake of embarrassing emails that were made public by the company’s data breach.
Cyber attacks happen across all industries, to companies of all sizes. So every organization needs to create and implement an effective risk strategy. CFOs can apply a basic, three-step approach to digital risk mitigation.
Step 1: Scrutinize Internal Controls
Employees increasingly are bringing their own mobile devices to work and using them to access their e-mail, documents and files. This mobility allows them to work from anywhere, anytime, but it also adds to a company’s digital risk. A December 2014 survey by the Ponemon Institute shows that 66% of employees download mobile apps that have not been approved by their company, and only 19% make sure the apps do not contain viruses or malware.
At the same time, more companies are adopting cloud technologies, which make systems and tools available to users via lean applications or web browsers. This ties in neatly to employees’ desire for mobility, but it also makes implementation of a digital threat strategy more challenging.
Systems are becoming more decentralized, and CFOs must think about how to mitigate digital threats across an increasingly broad spectrum of systems and locations. To do so, they need to scrutinize their internal control structure and determine where risks reside, and whether adequate mitigating controls are in place.
Supporting technology can help CFOs implement an effective strategy. This can be an event management solution, log monitoring, intrusion detection, or automation of security and segregation of duties (SOD) analysis. By using this technology, CFOs create a second layer of defense against data loss or corruption, as well as save themselves time during an audit.
Step 2: Maintain Cross-functional Communication
The CFO’s role encompasses many diverse yet related functions (finance, accounting, IT, facilities, HR, etc.). As a result, CFOs are strategically positioned to lead a company-wide data security and digital threat defense strategy. By providing high-level project guidance, they can work with their colleagues across departments, ensuring that they remain focused and address the company’s overall risk management goals.
Talking to the CMO, CSO, CIO or other executives is crucial. As more companies make the move to cloud-based data storage and software solutions, CFOs must make sure that they’re always aware of their company’s digital risk across the business. They must partner with key department leaders and identify which assets are critical to protect.
Step 3: Consider Cyber Insurance
Cyber coverage was one of the fastest growing sectors of the insurance market in 2014, according to insurance firm Marsh. That’s not surprising, given the string of recent cyberattacks and the financial pain they cause.
CFOs should weigh the price of coverage against the potential costs associated with a data breach. These can include the costs of identifying the source of the breach and providing credit monitoring if customer accounts are accessed, litigation expenses from lawsuits, fines for non-compliance with regulations and years of additional audit fees if a judge finds your organization at fault.
A wide range of cyber coverage is available. Premiums range from a few thousand dollars (for base coverage for businesses with less than $10 million in revenue) to several hundred thousand dollars (for large corporations that want comprehensive coverage), according to the Insurance Information Institute.
Insurers also are developing “cloud coverage” products for cloud providers and the businesses that utilize them. This coverage would apply to loss, theft and liability of data stored within the Cloud.
With the rise of the mobile workforce and the move to cloud technologies, there are more ways than ever for hackers, competitors and other potential criminals to access sensitive data. By creating strong internal controls, maintaining open communication across departments and investing in insurance, CFOs will be well-positioned to adapt to new threats and reduce their company’s digital risk on an ongoing basis.
Spotlight on the SEC: Risk Assessments & Disclosures
As online attacks continue to harm companies and their shareholders, regulators are taking a closer look at digital risks. The SEC has emphasized that a company’s filings need to disclose its cybersecurity risks, including breaches, vulnerabilities and preparedness.
The SEC’s risk assessment includes not just filing companies, but also their third-party service providers. A glaring example of third-party risk is the recent Target breach, which was traced back to a heating and air conditioning vendor’s inadequate firewall.
COSO‘s internal control framework, used by many companies to comply with Sarbanes-Oxley reporting requirements, may be helpful. The organization recently published a paper explaining how companies can use the same principles to assess and address digital risks.
COSO’s guidance advises companies to evaluate whether their board fully understands their online risks and how they are being managed. It then explains how a company can focus on cybersecurity in its risk assessment, information and communication, controls and monitoring activities.
Companies need to understand the risks that are specific to their business, according to COSO, because criminals target different kinds of information in different industries. Technology companies may have to worry most about attacks on their intellectual property, for example, while customer data may be the target at a retailer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.