It’s clear that any organization should consider cybersecurity risks. According to the World Economic Forum 2022 global risks report, cybersecurity failure will be one of the most serious threats facing the world in the next two-years. According to the report, cybersecurity threats are “outpacing societies’ ability effectively prevent them or respond to them”. According to the WEF’s Global Security Outlook 2022, only 19% of cyber leaders are confident that their organizations are cyber-resilient.
It is now up to finance professionals to use their skills and knowledge to help prevent and mitigate cyberthreats within companies.
Casey O’Brien is the director of cybersecurity at S-RM London. “The best way to address cyber risk is with finance professionals who can think critically and are analytical. O’Brien says that many people outside of finance may not realize the value of finance.
These are five ways finance teams can help prevent and mitigate cyber-risk.
Follow the money.
O’Brien stated that financial assets are the crown jewels and that cyberattacks are often financially motivated.
He said, “But you must understand the assets in order to protect them.” Gartner recommended that key financial data assets be identified and software programs, such as cloud financing solutions, assessed for vulnerabilities. According to AIG, “The vast majority” of cyber attacks are economic motivated. Targets include financial data and business plans. The cloud technology that houses it may make organisations vulnerable to attack. According to a Netskope survey, 68% of malware downloaded came from cloud applications. Compliance Week reports that clients affected by a data breach at Accellion’s file-sharing platform in 2020 included Bombardier and Royal Dutch Shell as well as the Reserve Bank of New Zealand.
O’Brien stated that finance professionals can play a crucial role in protecting these assets due to their knowledge of how finances are organized, key data, and the systems used.
Mary Dowd, FCMA and CGMA, Crossword Cybersecurity’s CFO in London, stated that an organisation’s risk register captures, describes and documents identified risks. Finance is often the holder of or owner of such a register. Finance can make sure that the risk register has been reviewed by the C-suite, the board, and that all levels of the organization are contributing to it. She also recommended that they be made aware about ongoing cyberthreats.
Dowd also noted that the finance team is the gatekeeper for transactions with outside suppliers to the organisation and can provide insight on managing third party risks. The damage can occur when cybercriminals can access an organisation’s data through its suppliers, subsidiaries, or merger-and-acquisition partners. According to a World Economic Forum survey, “almost 40%” of respondents were negatively affected by cybersecurity incidents involving third-party vendors/supply chains organisations.
Concentrate on the consequences.
Finance can communicate and quantify the potential consequences of failures to address threats effectively. This includes economic and reputational damage. A company’s reputation can be damaged by a cyberattack. Insufficient cyber risk management can lead to data breaches that expose vendor or customer information. According to a Black Kite report, it can cause damage to market capitalisation and future profits that could threaten the survival even of the most well-run businesses. If the cyberattack appears to have been caused by lax cybersecurity, this can occur. It can also be magnified if a company tries to hide the attack or delays reporting it. Cybersecurity Ventures projects that global cybercrime will cost $10.5 trillion by 2025. This is an increase from the $3 trillion recorded in 2015. Cyberattacks can cause financial loss, as well as service disruptions that make it difficult to do business. These costs could also be caused by costly litigation.
Finance can play a part in ensuring compliance with regulations like the General Data Protection Regulation (GDPR), and other legal and regulatory mandates. Dowd suggests that educating company leaders and other team members about these regulations can help them understand how to deal with data breaches.
You need to change your mindset about cyber expenditures.
O’Brien stated that cybersecurity should be considered an investment, not a cost. Reminding organizations that they are protecting their operations can change perceptions in finance. He said, “It’s much more meaningful if that message is from the people who actually have the purse strings.”
The finance team can provide informed advice to help you make the most of your cybersecurity budget and allocate it correctly.
O’Brien stated that it is easy to spend too much on cybersecurity or in the wrong places. Companies can waste money by not analyzing where the money is needed and instead throw cash at the problem hoping that it will solve all threats. “Finance can be used to ensure that budget decisions are sound and challenging.” Some organisations might end up spending a lot for new technology simply because they like it. O’Brien stated that finance might question whether the technology is the right one for their organisation. They may also ask if it offers greater benefits than just better education of employees about how to protect the organization. Finance may also be interested in whether employees are able to make the most of technology. Both cases may call for an investment in training.
Plan from the front.
Dowd stated that all organisations should have a risk committee that includes a senior financial person. This committee should place cybersecurity at the top of its agenda. A cybersecurity subcommittee may be required by the board depending on the size of the organization and the level of financial knowledge. She suggested that long-term spending plans be considered for unknown risks. This could include penetration testing for vulnerabilities in the organization’s infrastructure.
The CIO might oversee the incident response plan, but the finance team should also be involved. O’Brien stated that knowing the financial consequences of a ransomware attack on an organization is crucial if it is to be able to shut down for a few days. You need someone who is able to assess the financial situation of the company. Gartner recommended that a finance leader be assigned to the first response team in order to assess economic damage and devise effective responses.
Establish the right tone for the group.
Dowd stated that human error is the leading cause of data breaches. The finance team leader can set the example by creating a culture of cybersecurity to ensure that financial professionals are working at the highest standards. They also have access to the right resources. The GDPR, the UK’s Cyber Essentials, aimed at small- and medium-sized businesses, and the International Organization for Standardization’s 2700 Series are some examples to be considered in the development of standards. Dowd stated that standards and regulations can be used to share with the team the severity of data breaches and financial threats. She also stated that an organisational culture must affirm that employees won’t be punished for reporting suspicious activity.
Continuous professional development in finance should include training in new technologies and cybersecurity. Dowd stated that cloud migration has increased data backup and recovery, but also created risk. According to a Deloitte study, while the internet of things offers new ways for businesses and to create value, it also presents new opportunities for information compromise. Dowd also recommended that organizations consider how the metaverse could impact cyber risk as this technology develops. According to a PwC report on metaverse concepts like digital economy innovations such as cryptocurrencies, they are already relevant for businesses. However, it also stated that “risks are real too”.
Maintaining vigilance
Dowd acknowledged that cyber risk can be complex and evolving. It can seem overwhelming. Do not give up. She said, “Remember that not all eventualities can be predicted. But you should have a plan which will allow you to respond if the worst happens.”