Cyber-risk moves to the top of the CFO’s agenda

The case for a cyber CFO is strong as financial chiefs are immersed in a business world threatened by cybercriminals

It is all too easy to think of the chief financial officer (CFO) as being the C-suite accountant, albeit a very powerful and well-paid one. While the clue is in the job title and managing the company’s finances is certainly the primary role, there’s more to the modern CFO than just balancing the books. Sure, managing cash flows and overseeing budgetary planning remain central to the CFO role, but times are changing and CFOs must change as well.

I insist on being an active member of the security team to evaluate our cybersecurity posture and most critical assets, and understand our exposure

Responsibility for financial risk management is increasingly expanding into the more strategic realm of cyber-risk management and regulatory compliance responsibility is embracing more than just ensuring that accounting checkboxes are ticked.

With most organisations now in a state of perpetual change, driven by the need for true digital transformation that profoundly touches upon every aspect of the business, the C-suite has high expectations of what the CFO must deliver. To meet those expectations, should we now be defining the chief executive’s de facto second in command as the cyber CFO?

GDPR has added cyber-risk to the CFO’s priorities

The CFO needs to not only manage the basic finance function, but identify areas for growth and operational excellence across all domains. “One of these areas is being an ecosystem protector,” says Colby Moosman, CFO of biometric identity verification company Jumio. “As we become more tethered to the internet, more of our business and more of our customers are becoming part of a digital ecosystem, which is under constant threat from cybercriminals, malware, fraudsters and social engineering.”

With the light from the European Union General Data Protection Regulation (GDPR) shining into the darkest corporate corners and illuminating the potential for fines that will impact the bottom line, Mr Moosman insists it’s now “incumbent on the CFO to protect the privacy and the data captured on users”.

Ning Wang, CFO of hacker-powered security testing company HackerOne, agrees that the evolving regulatory and audit environment GDPR brings to the organisation means that all CFOs must be familiar with ensuring compliance across all business units. At HackerOne, for example, GDPR-related training is now part of employee onboarding.

“We regularly educate our staff on how to handle personal data to increase awareness and sensitivity,” says Ms Wang, as that helps the company to stay compliant. “The CFO role in relation to cyber-risk and compliance becomes more operational in that regard, rather than siloed in financials.”

CFOs need to know the right questions to ask around cyber-risk

This is an important acknowledgement and one that is central to the case for a cyber CFO moving forward. You might think this could lead to there being some worried CFOs who are concerned their career could be careering off the rails, with this shift towards an entirely new skillset to add to their CVs.

But that’s not the impression you get talking to those who are actively walking the walk. “It’s truly an exciting time to be a CFO,” says Steve Vintz, CFO with cyber-exposure experts Tenable, who argues they simply need to understand their exposure to cyber-risk and the financial costs associated with it.

“I don’t pretend to understand the technology to the same degree as a chief information officer (CIO) or chief information security officer (CISO), but I insist on being an active member of the security team to evaluate our cybersecurity posture and most critical assets, and understand our exposure.”

Wait a minute, so should cybersecurity be the CFO’s job in future? No, the responsibility for cybersecurity must still fall under the security team, which includes the CISO, CIO and the myriad other roles involved with protecting the organisation from cyberattacks.

“But CFOs need to know what questions to ask their security team, what to look for and understand the additional disclosure requirements that are now part of the financial statements,” says Guy Melamed, CFO and chief operating officer at data security company Varonis Systems.

Being clued up on cyber-risk can help CFOs budget for the worst case

The argument is that CFOs, CIOs and CISOs share many of the same goals to protect their organisation from cyberattacks and other threats, and if CFOs are aware of the cyber-risk they can, according to Mr Melamed, “do what they do probably hundreds of time a day: a cost-benefit analysis to ensure the right decisions are made to reduce risk and to ensure resources are allocated properly”.

Sharing goals is one thing, sharing responsibility another in a relationship, which all too often appears to be defined by squabbles over resources as budgets are squeezed. Yet that relationship is key if the business is to succeed. Which means, as James Armstrong, CFO at digital transformation specialists 6point6, points out: “The CFO and CIO/CISO need to be 100 per cent in tune.” Indeed, the CFO has a duty of care to hold the CIO/CISO to account and understand cyber-risk and its potential impact on the business.

However, when executives consider fraud or cyberattack, many think only in terms of direct financial loss. The forward-thinking future CFO must take account of the longer-term impacts. “Having a plan in place that is led by a potential cyber CFO well in advance of any breach will mitigate reputational and legal impacts,” Jim Gee, national head of forensic services at risk advisory firm Crowe, concludes.