The recent barrage of cyberattacks on companies such as Target, Sony, and Anthem is causing gray hair for many CFOs. Most have IT as a direct report, which makes them responsible for digital risk strategy company-wide. In addition to safeguarding financial data, they must assess and manage risks to a wide range of other important information, such as intellectual property, customer data, and employee records.
Mitigating this risk is a difficult task, and the stakes are high. The financial consequences of inadequate security can be huge. The average annualized cost of cybercrime for U.S. companies was $12.7mm in 2014, up from $11.6mm the year before, according to the Ponemon Institute. Reputations also can be damaged. Sony recently announced that co-chairman Amy Pascal is stepping down later this year, in the wake of embarrassing emails that were made public by the company’s data breach.
“Systems are becoming more decentralized, and CFOs must think about how to mitigate digital threats across an increasingly broad spectrum of systems and locations.”
Cyber-attacks happen across all industries, to companies of all sizes. So every organization needs to create and implement an effective risk strategy. CFOs can apply a basic, three-step approach to digital risk mitigation.
Step 1: Scrutinize Internal Controls
Employees increasingly are bringing their own mobile devices to work and using them to access their e-mail, documents, and files. This mobility allows them to work from anywhere, anytime, but it also adds to a company’s digital risk. A December 2014 survey by the Ponemon Institute shows that 66% of employees download mobile apps that have not been approved by their company, and only 19% make sure the apps do not contain viruses or malware.
At the same time, more companies are adopting cloud technologies, which make systems and tools available to users via lean applications or web browsers. This ties in neatly to employees’ desire for mobility, but it also makes implementation of a digital threat strategy more challenging.
Systems are becoming more decentralized, and CFOs must think about how to mitigate digital threats across an increasingly broad spectrum of systems and locations. To do so, they need to scrutinize their internal control structure and determine where risks reside, and whether adequate mitigating controls are in place.
Supporting technology can help CFOs implement an effective strategy. This can be an event management solution, log monitoring, intrusion detection, or automation of security and segregation of duties (SOD) analysis. By using this technology, CFOs create a second layer of defense against data loss or corruption, as well as save themselves time during an audit.
Step 2: Maintain Cross-Functional Communication
The CFO’s role encompasses many diverse yet related functions (finance, accounting, IT, facilities, HR, etc.). As a result, CFOs are strategically positioned to lead a company-wide data security and digital threat defense strategy. By providing high-level project guidance, they can work with their colleagues across departments, ensuring that they remain focused and address the company’s overall risk management goals.
Talking to the CMO, CSO, CIO or other executives is crucial. As more companies make the move to cloud-based data storage and software solutions, CFOs must make sure that they’re always aware of their company’s digital risk across the business. They must partner with key department leaders and identify which assets are critical to protect.
Step 3: Consider Cyber Insurance
Cyber coverage was one of the fastest growing sectors of the insurance market in 2014, according to insurance firm Marsh. That’s not surprising, given the string of recent cyber-attacks and the financial pain they cause.
CFOs should weigh the price of coverage against the potential costs associated with a data breach. These can include the costs of identifying the source of the breach and providing credit monitoring if customer accounts are accessed, litigation expenses from lawsuits, fines for non-compliance with regulations, and years of additional audit fees if a judge finds your organization at fault.
A wide range of cyber coverage is available. Premiums range from a few thousand dollars (for base coverage for businesses with less than $10mm in revenue) to several hundred thousand dollars (for large corporations that want comprehensive coverage), according to the Insurance Information Institute.
Insurers also are developing “cloud coverage” products for cloud providers and the businesses that utilize them. This coverage would apply to loss, theft, and liability of data stored within the cloud.
With the rise of the mobile workforce and the move to cloud technologies, there are more ways than ever for hackers, competitors, and other potential criminals to access sensitive data. By creating strong internal controls, maintaining open communication across departments, and investing in insurance, CFOs will be well-positioned to adapt to new threats and reduce their company’s digital risk on an ongoing basis.