Finance is one of the most vulnerable areas for cyber-attacks. The CFO needs to familiarise themselves with new IT security issues and master legal frameworks depending on their business model – an almost impossible task. How will this affect their decision-making power in terms of integrating tech – and facilitating company-wide usage of data?
Our interviews with CFOs from SMEs to multinationals have revealed four key ways of approaching cybersecurity.
Cyberattacks occur more than a million times a day. Most attacks are not successful, and few have the devastating effect of Wannacry, the well-documented ransomware that infected millions of computers across 150 countries last year. But the smaller attacks can still have a significant impact on business infrastructure and naturally, the costs run high.
CFOs are aware they have important role to play in addressing this challenge. “Cybersecurity is very high on the agenda,” explains the CFO of an investment bank. “It’s not just a matter of putting a security patch and then you’re good for the next 15 years; it takes constant vigilance and review of your performance.”
But the question remains: what particular role the CFO should play in the process?
The Scientist: prioritise protection needs
Most CFOs that participated in the study agree that a solid understanding of data management is key. If today’s CFO wants to fulfil his or her role, there is a need to knowing filter the critical and confidential data as well as prioritise the company’s protection.
As the number of data breaches accumulate, CFOs need to be proactive and continuously partner with IT experts. The continued exposure means that it’s increasingly important for a CFO to be tech savvy.
The Engineer: ensure compliance on the procedures
That is, however, just one part of the of the CFOs role to ensure data protection. Usually the biggest risk is not the IT system itself – but the way employees use it. “Regardless of the quantity of firewalls or passwords, a misconduct by anybody from the group can risk everything that we are trying to protect with those tools,” says Thiago Oliveira, CFO of real estate company JHSF.
In an approach that embodies an Engineer, Oliviera cannot over-emphasise the importance of smooth-running systems that are fully adopted by employees: “People’s compliance on system procedures is very important to keep information safe and reduce the risks of cyberattacks.”
The Coach: educating people to be watchful
In the mode of a Coach, training personnel of the risks associated with cyberattacks and prevention measures is fast-becoming a priority of every CFO.
“We have to educate our own people to be watchful,” says Bob Braasch, CFO of the investment bank Marathon Capital, “because the threats that could have an adverse effect on us will start with somebody accidentally sending a virus on a document and trying to access our system that way. Education at the individual level is really where the game starts.”
The pilot: find strategies to safeguard privacy
A growing number of organisations are monitoring their employees’ use of data to enhance cybersecurity, but that comes at a cost - and not necessarily a financial one.
“I think the biggest challenge for most companies is how to respect the privacy when everybody is being tracked 100% of the time. I wake up every morning with this question my mind,” explains Oliveira.
It takes the solution-oriented capacities of the Pilot to find an adequate solution, without necessarily getting into the operational detail. The balance is delicate but necessary: “It’s pretty easy for someone to send an e-mail containing our company’s compensation data, " explains Eugene Low, CFO with global consultancy Mercer, "but I have faith in my IT team, my compliance team, that they’re on top of it. And from what that I see, the situation is under control. I cannot get into the details of it. As a CFO, you have to pick your battles.”
There is speculation that the challenge of cyber security will eventually become too great for the CFO's team alone. As David List, CFO of the online money transmitter Conotoxia remarked: “I wouldn't be surprised if the future will lead to a new role for the executive board. At some stage, the Cybersecurity Officer will enter the boardroom."
Key Takeaways
- As finance is one of the most vulnerable areas for malicious attacks, CFOs need to get involved in managing cybersecurity
- CFOs have to be familiar with IT security issues, ideally within the framework of many various legal systems
- There is a real need to educate stakeholders to ensure widespread compliance
- The complexity of cybersecurity challenges is opening up the possibility of a new boardroom role
Find out more about the other key challenges facing CFOs in 2018
Go back to CFO and Financial Leadership Insights