Building a Cyber Resilient Business

By Dr. Magda Lilia Chelly , Shamane Tan , Hai Tran
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Chapter 2: A Modern Cyber-Responsible CFO
About this book

With cyberattacks on the rise, it has become essential for C-suite executives and board members to step up and collectively recognize cyber risk as a top priority business risk. However, non-cyber executives find it challenging to understand their role in increasing the business’s cyber resilience due to its complex nature and the lack of a clear return on investment.

This book demystifies the perception that cybersecurity is a technical problem, drawing parallels between the key responsibilities of the C-suite roles to line up with the mission of the Chief Information Security Officer (CISO).

The book equips you with all you need to know about cyber risks to run the business effectively. Each chapter provides a holistic overview of the dynamic priorities of the C-suite (from the CFO to the CIO, COO, CRO, and so on), and unpacks how cybersecurity must be embedded in every business function. The book also contains self-assessment questions, which are a helpful tool in evaluating any major cybersecurity initiatives and/or investment required.

With this book, you’ll have a deeper appreciation of the various ways all executives can contribute to the organization’s cyber program, in close collaboration with the CISO and the security team, and achieve a cyber-resilient, profitable, and sustainable business.

Publication date:
November 2022
Publisher
Packt
Pages
232
ISBN
9781803246482

 

A Modern Cyber-Responsible CFO

A Chief Financial Officer (CFO) is the senior executive in charge of a company’s financial operations. A traditional CFO will typically act as a financial controller, which is more detail-oriented, and even if they are not from a financial background, they manage just the numbers and focus on transactions. A more modern CFO will be very forward-thinking. They manage risks and the future of the business.

While the Chief Executive Officer (CEO) sets the direction, culture, and budget for the company, the CFO is the agent of change, supporting that direction, implementing the company culture, and preparing the budget for the CEO.

Enterprise Risk Management (ERM) is a strategy across an enterprise, designed to identify potential events that may affect the company’s finances, operations, and objectives and keep risk within the parameters of the company’s risk appetite. The CEO’s commitment and that of every management team member, including the CFO, are critical to the success of ERM adoption and execution.

The executive team’s contributions, particularly in risk management, are required to meet the organization’s strategic goals. Nowadays, this requires considering cyber risk and integrating it into ERM.

The CFO’s job description is straightforward: cash flow management, financial planning, and financial reporting. Furthermore, their responsibilities include determining the firm’s financial capability and taking remedial actions to effectively and efficiently manage the firm’s risk. Each company has its own set of financial modules, and ERM is implemented using these modules. ERM can be an important tool for the CFO in helping them understand the potential impact of business risks on the business’s financial standing. This means that if cyber threats pose a risk to the business, then the CFO needs to understand what this means and how it can impact the organization’s financial position.

CFOs have a big say in implementing enterprise risk management, which should include cyber risk; they control the implementation of the ERM strategy. The adoption of ERM requires financial and operational resources and a thorough assessment of the likelihood of success.

This chapter discusses the main priorities for a CEO to consider when talking about the CFO’s financial strategy and involvement in ERM. In this chapter, we’re going to cover the following topics:

  • Why the CFO should care about cybersecurity
  • The CFO’s understanding of cybersecurity
  • The aspects of cybersecurity the CFO should consider
  • Defining the CFO’s role in building cyber resilience
  • Communicating with the CFO about cyber risks
  • Questions to ask your CFO

The following section provides further details on specific areas where the CFO remains an indispensable stakeholder in cyber risk management.

 

Why the CFO should care about cybersecurity

As the senior executive and virtually the top-level financial controller responsible for managing the business’s economic actions and financial risks, the CFO should care about any risk that may impact the organization’s financial position, including cyber risk. They should play a crucial role in supporting an adequate cyber budget that enables building cyber resilience across the organization. If done right, the management of cyber risk can also aid in the growth of an organization as well. There is a compelling need for CFOs to have a more active role in critical business decisions beyond financial performance disclosure and to play an active role in cyber risk management is growing.

The role of the CFO in cybersecurity

There is a difference between a CFO who loves transactions, modeling, and details, and one who focuses on driving strategy and the story behind the numbers. The modern-day CFO does not just add up the numbers. They are meant to support the CEO, even when most CEOs are often more eager to take risks or find new business opportunities. The CEO is usually the one driving change, and they will want the CFO to be in their camp. The CFO is the person overseeing mergers and acquisitions and has the inspiration and motivation to take a business to the next step. They serve on the board of directors and participate in decision-making as a member of the senior executive team. As well, most organizations rank CFOs second to the CEO in any public involvement. Your CFO is your communicator.

For organizations that do not have a Chief Risk Officer (CRO), the CFO is often the one to take on that role as well. The CFO can play the role of the CRO in tackling ERM and making decisions about risk treatment, transfer, and mitigations. Therefore, in a digitally connected world with increasing levels of inherent cyber risk, the CFO is integral to building business cyber resilience.

Integrating cyber risk into ERM is gaining traction among firms; businesses are using it to detect and manage cyber risk. ERM takes a holistic approach to risk management rather than a siloed one. It necessitates the integration of various processes to quantify an organization’s exposure to uncertainties that may interfere with the business’s goals and development capabilities.

These days, cybersecurity is typically in the top five risks for a corporation. A key aspect of the CFO role is to help manage that risk. Viewing cyber risk through the lens of ERM equips the CFO to position the company to manage the strategy and plan for cybersecurity. This is a practical way to align cyber risk with how the company perceives risk in general and provides a familiar environment for the CFO to get educated about the dialog on cybersecurity in a business context.

Cyberattacks present a serious economic concern for companies and business stakeholders. While awareness is increasing around the topic, there is a risk this perspective may be misinterpreted throughout an organization if a Chief Information Security Officer (CISO) and a CFO do not communicate and discuss cyber risk effectively with every member of the organization. The lack of communication about the organization’s cyber resilience means the business may not be prepared to face cyberattacks effectively and resulting financial losses might be substantial. Those economic losses ultimately need to be quantified to support an informed decision-making process between mitigation and transfer.

Despite not being cybersecurity experts, CFOs are not in a position today to ignore the topic or continue writing it off as an IT problem. The CFO has the expertise and supervision to look at the impact of an attack on the business’s financial position in a much broader and long-term manner, going beyond the immediate concerns of data loss and operational disruption to reputational and regulatory losses, as well as the impact on share prices. At the same time, if done well, having a strong cyber posture can also aid the organization in its rapid growth as well. A company that is cyber resilient will only serve to strengthen the business and give employees the peace of mind to flourish and perform to scale.

In the next section, we explore further how a CFO’s cybersecurity understanding can support cyber resilience.

 

The CFO’s understanding of cybersecurity

Shamane Tan, chief growth officer at Sekuro and founder of Cyber Risk Meetup, a global community for prolific cybersecurity conversations and exchanges, and co-author of this book, commented on a discussion with the CFOs that she was involved in: “Even amongst the CFOs, they recall that the conversation about cybersecurity only started to come up a decade ago when the insurers asked corporate CFOs what the company was doing about cybersecurity.

When insurers began asking about cybersecurity over ten years ago, it was likely one of the first times CFOs would have heard about cybersecurity. It’s worth noting that these first conversations did not begin within an organization but were driven by those asking from outside the organization. Within an organization, it has not been a concern generally. Magda (co-author of this book) had a CFO mention to her that he trusted his security team and so wasn’t going to purchase cyber insurance.

With the increase in cyber risk and inevitability of cyberattacks, it is critical to understand that foolproof security does not exist. Within such a complex and interconnected environment, cybercriminals nowadays can find weaknesses within people, processes, and technology. A cyberattack can also happen through a supplier or vendor. It is just a matter of time.

A group of hackers known as “London Blue” targeted more than 50,000 finance executives, including 35,000 CFOs, with bogus requests to transfer money. The scams were estimated in an Agari report (https://www.agari.com/cyber-intelligence-research/whitepapers/london-blue-report.pdf) to have caused hundreds of thousands of dollars in damage. CFOs and the finance executives within an organization are not immune to being targeted and are not necessarily cyber-savvy to such scams. That must change.

In today’s world, insurers take cyber risks into consideration and provide cyber insurance to organizations as a risk transfer option. This requires risk profiling of a company. Cyber insurance helps CFOs to become cyber aware and requires a shift in their perception of cyber risk. This switch in mindset also correlates directly with both the frequency and the cost of cyberattacks. As a result, cybersecurity is now formed as part of the risk register.

Nevertheless, for CFOs, understanding cyber risks and cybersecurity as a whole can be a lengthy and frustrating process. Cybersecurity is complex, the solutions not always enough to mitigate risk, and confusing technical jargon are just a few of the reasons CFOs find it challenging. Your organization might have cybersecurity hardware and software to protect your business against cyberattacks. However, it only takes one weakness to incur financial losses.

People, processes, and technology are not immune to cyber threats. Specific to the finance team, phishing, social engineering, and Business Email Compromise (BEC) have been some of the most common cybercrimes. The FBI’s Internet Crime Complaint Center (ICCC) cybercrime report found BEC schemes to be the costliest of all cybercrimes, leading to losses of approximately $1.8 billion in 2020 alone.

A good example is an employee processing the payment of a fake vendor invoice, which can lead to the misdirection of tens of thousands or even hundreds of thousands of dollars. Those social engineering cyberattacks work by targeting humans and processes. This type of cybercrime has increased in recent years, and while some companies have addressed this cyber risk to prevent financial fraud/loss, others continue with their traditional approach and ignore critical cybersecurity pillars, people, and processes. “It can’t happen to us” remains the pervasive perspective.

Importantly, a CFO is not required to learn technical cybersecurity concepts. But they do need to consider cyber risks that might materialize from a weakness in people, processes, or technology. Understanding and communicating that foolproof security does not exist is among the first steps, along with increasing the budget to help address strategic initiatives. Further, it requires continuous support and the company’s readiness to respond when an attack happens.

It is also worth noting that when it comes to cyber insurance, not every single cyber event will be covered, which means that companies will not be able to transfer all of their risk through insurance. Take, for instance, a ransomware attack—insurance companies now deny insurance payouts for ransomware payments.

Yet ransomware attacks are only one cyber risk to a company. The following section outlines key aspects of cybersecurity that are helpful for CFOs to consider.

 

The aspects of cybersecurity the CFO should consider

Cybersecurity is a conversation that needs to be had at the boardroom level, as the impact of a cyberattack can have enormous consequences on customer trust, brand loyalty, and shareholder value. When the CISO starts the conversation, the CFO must be a supporter. Just as finance authority is delegated across an organization, so must cyber resilience. However, cyber risk is more complex than financial risk; one aspect of that complexity is that there are no monetary limits you can establish for who responds to a cyberattack. In other words, everyone needs to have a role and everyone owns a piece of the protection and recovery—and financial losses.

Cybersecurity goes beyond the effectiveness of the right technical controls, such as firewalls and authentication. For too many, a security event is commonly seen as the failure of technical controls, which is why the reported cost of a security breach is often considered as just the cost of the initial impact. Yet that’s only part of the financial picture, and often a small part. What is often forgotten is the aftermath of things such as regulatory fines, lawsuits, and loss of the business’s reputation.

Part of the modern-day CFO’s role is to quantify risks and inspire change by using numbers to tell the story of managing cyber risk. With a focus on data, data, data, undoubtedly the most valuable commodity for any organization, the CFO can ensure it is leveraged and analyzed to help make more efficient business decisions. Cybersecurity is one of those business decisions.

Investments in the right security are required to help protect this data. If a business survives an initial attack, the recovery time can be very long and costly. The CFO must consider data value and cost, including data breach costs, cyberattack costs, cybersecurity return on investment (ROI), prioritization of cyber initiatives, and proper vendor due diligence. The foundational mindset when it comes to cyber resilience should be prevention first. Baseline housekeeping includes running a tight IT function and maintaining patch currency, and basic cybersecurity hygiene can provide enormous benefits at a relatively low cost.

The good thing is that the CFO is not alone in this fight. CISO Rahul Khurana has reported to CIOs and CTOs in some of the organizations where he has worked. Now as the CISO for a global healthcare and defense technology company, he reports directly to the CFO. He shared his experience of being in this different reporting structure:

“Our discussions are very focused on the overall business risk. CFOs have a clear understanding of the business impact of a cyber breach (whether it’s financial, legal, reputation, and so on). It’s all about the impact on revenue. I also have an independent cyber budget; I don’t need to fight for a cyber share under a common enterprise IT budget. It’s easy to talk numbers and return on investment through cost avoidance.

“Every dollar invested in cybersecurity (people/process/technology) that eventuates in reduction of cyber incidents or an overall impact of an incident reflects a return on investment—from a monetary, risk reduction or improved maturity and capability. It makes a big difference to have direct access to the CEO and the board. They are open to innovative ideas and approach when we have a business focus mindset.” 

The CFO needs to collaborate with the CISO to navigate investments and costs (such as security controls) and the complexities of financial protection (including reputational loss and lawsuits). It is important for the CFO to clearly understand how to achieve those outcomes to make the right decisions and produce proper financial forecasting. Budgets and investments in cybersecurity increase each year as new threats and defense technologies are created.

CFOs have a unique opportunity to approve funding for security solutions that will help protect a business or supplement (not replace) those solutions with a financial instrument, such as insurance. They also have to avoid overspending on products that prevent the business’s growth in the name of security. The CFO needs to balance between overspending, which leads to a false sense of security, and under financing security initiatives, which can result in a higher risk across the broader infrastructure. CFOs must recognize cybersecurity as an investment to protect against financial losses rather than a burden or expense.

This is only achievable if the CFO understands and clarifies the financial impacts of a cyber event in dollars.

A CFO’s perspective

Wayne Andrews, CFO at the University of Sydney, revealed that his key consideration in planning and budgeting for cybersecurity is to first establish the organization’s risk tolerance: “It is infinitely costly and impossible to eliminate cyber risk entirely, (although CIOs would spend any amount in pursuit of that goal), so the question is how much risk can you tolerate and what it will cost to narrow your exposure to within the tolerable range.

The risk tolerance discussion focuses on establishing tolerance and understanding the spectrum of risk, making the expenditure level a mere consequence of the process.

Wayne finds it fanciful to attempt a cost-benefit analysis on cyber expenditure because the range of outcomes can be so broad and the consequences of an actual event so large. The absolute numbers are so asymmetrical and the probabilities are very subjective. It can only be done in a meaningful way by narrowing the range of acceptable outcomes and the cost of delivering them.

Wayne concluded, “This is important because if your starting point is to eliminate all risk, you are doomed to fail in that regard and spend much money in the pursuit of failure.

It is like having an insurance policy and never needing to cash it in. Companies spend a lot of money, but they might not really know the full extent of the cost at the end of the day had they opted out of insurance.

Is there a way to demonstrate the number of near misses or quantify what we have saved ourselves from? Perhaps another way to look at it is by benchmarking against your peer companies cyber resilience and deciding you will be less affected by cyberattacks because you have a more substantial cybersecurity capability.

For most businesses, the objective is to be sustainable and ensure the company has a future. That half a million dollars you spend on cybersecurity risk management becomes your return on the objective. Although it might not necessarily translate to, “I just saved my company $10 million,” efforts need to meet organizational requirements to thrive.

Addressing cyber risk from a complex financial view

Wayne also offers this view: “Can an organization balance some risks against a cyber insurance policy? There is no free lunch in this regard. What insurance can do for you is deliver the funds at short notice to remediate, including ransom payments; however, insurance will not restore your business and reputation, so it is a means of smoothing cash flow rather than eliminating risk. Indeed, you will find yourself uninsurable unless you have a credible cyber risk management program.

Regulatory compliance is one approach to building a credible cyber program. Some regulations with more comprehensive applications, such as the European General Data Protection Regulation (GDPR), might require a solid focus on potential data breaches. The GDPR has steered the topic of the regulatory necessity of data protection into every business conversation and a notification process that requires a quick turnaround. The fines are massive, and companies cannot afford to be hit by a penalty of millions of dollars.

Payment Card Industry Data Security Standard (PCI DSS) compliance (where applicable to a company) is also another useful scheme to translate security controls into actual monetary fines. PCI DSS is technical in nature and designed to protect financial information. It is in your CFO’s interest to comply with this, as enterprises will need to meet this standard to instill confidence in customers. How is your CFO currently collaborating with your CISO to oversee these compliance and cybersecurity requirements, spending, and potential losses?

We hope it is becoming clearer why the CFO’s role in cybersecurity is important. Next, we go into further detail about the relevance of the CFO’s role in building a resilient cyber-ready business.

 

Defining the CFO’s role in building cyber resilience

Cyber risks are now one of the most troublesome risks for CFOs. The CFO should be able to collaborate with the CISO and fully participate in a robust discussion about cyber risk with the board, the rest of the organization, and external stakeholders and position it as a business and commercial risk, mitigated through a variety of measures, not all of which are technological.

The CFO and the finance department are highly trusted and skilled when it comes to explaining the business reasons behind the financial limits and controls they put in place; thus, they should leverage this to promote cybersecurity. In the case of an attack, the CFO will, understandably, be one of the first to evaluate the possible harm and to lead, with the CEO, both internal and external actions and messages to essential stakeholders.

The CFO can improve an organization’s cyber capabilities—and help fulfill the board and senior management expectations—in crucial ways. We will explore these in the next sections.

Benchmarking cybersecurity budgets

The CFO may assist the CIO and CISO in determining the appropriate cybersecurity budget. Leading CFOs compare their company’s cybersecurity budget to their industry peers. Magda has received continuous requests for benchmarking data from CFOs. The benchmarking requests extended beyond cyber risk mitigation to cover cyber risk transfer. If a CFO sees that the industry average for cybersecurity budgets is 10 percent of the IT budget, and their firm allocates just 1 percent of the IT budget to cybersecurity, it is likely underinvesting.

Benchmarking is a great starting position for the CFO and helps them determine whether they are spending too much or if they are underspending. This will then help adjust the budget before allocation.

Defining cybersecurity spending

The CFO needs to collaborate with the CISO to define fund allocations and spending. An organization must assess whether funds are invested in the right initiatives. This assessment helps evaluate whether the business is spending the correct amount on the proper initiatives, given its cyber risk exposure. There have been situations where companies invested in costly tools while not having cybersecurity fundamentals in place, such as vulnerability management or two-factor authentication for administrative access. Even the best tools are ineffective without basic systems to support them.

“Defining spending” should be renamed “cyber spending allocation,” which talks about smart allocation and how the CFO can help spread and amortize expenditures across multiple budgets, and even allocate percentages of spending from other departments’ budgets to help with security. CFOs are in a unique position to do this because they have a holistic view of the budget. They are also able to evaluate risk and apply it to the allocation of cybersecurity resources as not every department’s needs will be equal.

Supporting cyber-risk quantification

The CFO’s dollars-and-cents attitude is handy for analyzing cyber risks using a quantitative rather than qualitative approach, ensuring that business and risk values are quantified equally. Traditionally, cybersecurity professionals have not quantified cyber risk, presenting it instead using qualitative methods. While helpful, this approach is limited when requiring objective spending assessments and prioritization. While risk management practitioners have used these models for other types of risk for years, they are only now being applied to cybersecurity. Once presented, if the board remains unsatisfied with traditional security reporting, it may look at aligned visibility with other risk types as part of ERM. This requires financial figures and adequate forecasts to support their strategic business decisions. The CFO should provide these insights and help quantify cyber risks in collaboration with the CISO.

Magda has collaborated with forensic accounting professionals who were able to deliver incredible insights by quantifying values based on cyber risk scenarios. For example, they were able to clearly calculate possible financial losses for all types of business interruptions, including profit loss, employees’ overtime, and third-party expenditures, among others. This demonstrates that the CEO and board members can only guarantee that resources are spent efficiently by measuring both the cyber risk and the organization’s risk appetite as the cost of protecting against cyberattacks rises.

Risk quantification is really important and is how the finance team can help the CISO here. If the CISO can identify risks, then the finance team can quantify financial impacts, which helps with prioritization. Risk underpins all decisions made in an organization, and one way to quickly address risk is by transference.

Purchasing cyber insurance

Traditionally, CFOs purchase corporate insurance in collaboration with insurance managers. As with any type of insurance purchased on behalf of the company, they also manage the evaluation and underwriting of cyber insurance and oversee auditing, inventory, testing, and compliance. Insurance is a contract in which an organization receives financial protection or compensation from an insurance firm guaranteed in a policy. Purchasing insurance is a supplement to risk management in terms of safeguarding your company.

As cyberattacks can lead to financial losses, cyber insurance might cover those financial losses, helping with cash flow and liquidity management. A detailed and intelligent risk management strategy considers mitigation and transfers of cyber risk. There is always a residual risk that might materialize, impacting the company’s financial posture. If that risk occurs, the insurance compensates for the damages.

Insurance is an uncommon but important risk tool in the cybersecurity world that helps quickly reduce risk; it does have a direct correlation to the costs incurred by the organization. The downsides of insurance are that it does not cover everything, and insurance companies are starting to reduce the scope of insurance payments. As with the purchase of any policy, strict scrutiny of what is and is not covered must be part of the due diligence process.

Having a solid cyber program to address security hygiene issues will help to reduce insurance premiums, which offers a better ROI than spending on premiums. However, there is still a blind spot for many organizations, one that is often not covered by cyber insurance, and that is third-party risks.

Assessing third-party risks

CFOs are often key players who defines the procurement process. Supply chain risks have increased tremendously, and thus supporting cyber risk assessment procedures undertaken on your vendors and suppliers before working with them should be a priority for the CFO. In some organizations, the CFO owns the third-party risk management function, while in others, this can be shared between the procurement team (finance), risk team (under the CRO), and also the security function (under the CISO).

Cybersecurity budgeting, spending, and risk quantification are all part of the CFO’s responsibilities in building cyber resiliency. Yet identifying and recognizing cyber risk is the role of everyone in the organization. It is, therefore, incumbent upon everyone to communicate those risks effectively. The following section provides tips for communication with your CFO.

 

Communicating with the CFO about cyber risks

Shamane explains, “Language is important. Traditionally, the CFO has always been familiar with ROI. However, it can be a challenge for many to quantify the return on investment in cybersecurity.

Often, cybersecurity is under the surface, not recognizable or acknowledged, but protecting the company from cyber threats. There could be all this activity going on, but the CFO may not see any positives from it, as they are not aware of how many incidents were avoided or how many near misses there were. The CFO sees it for what the tools cost the company, not what it has saved the company.

As many CFOs have shared with Shamane, “you can usually measure the cost to the organization after an attack, but if the company has not been compromised, how would one know what cost has been saved?

So how do others in an organization assess cybersecurity threats and needs? Measurements such as lead and lag indicators can be helpful in assessing this. Your lag indicators are your after-the-fact financial fines and the cost of responding to an incident that can be seen, for which we have available quantifiable measures.

Lead indicators, on the other hand, involve the use of loss-curve projections or Factor Analysis of Information Risk (FAIR), which falls within the “traditional” risk calculation of likelihood and impact. FAIR is a known quantitative model for information security and operational risk. FAIR offers a paradigm for understanding, assessing, and measuring cyber and operational risks in financial terms.

The good news is innovative quantification methods are emerging. One way to quantify cyber risk—developing a cyber-specific loss curve—can help companies develop a meaningful capital risk framework for cyber and answer those difficult questions, including ROI. Additionally, scenario building can be used to understand the consequences of cyberattacks and ensure accurate modeling for cyber risk quantification.

Moving from qualitative to quantitative frameworks for cyber risk is a journey in itself. However, quantitating the risk provides the ground for a better discussion with your CFO. It takes practice and a different perspective, but it’s considerably more successful in gaining comprehension and keeping your CFO’s attention on the topic.

Magda has long practiced cyber risk quantification and firmly believes it empowers security professionals to communicate efficiently with business stakeholders and align cybersecurity strategies with business goals. After all, assessment is only one element. It must be presented to the CFO. In doing so, avoiding technical cybersecurity language when discussing or giving advice to the CFO, who doesn’t have a background of cybersecurity expertise, is critical to guarantee they understand cyber risks and can take part in a discussion. Therefore, the facts must be delivered in a language they can comprehend for them to confidently understand the topic and especially the requests, if any. This is where cyber risk quantification is used. It aligns with the CFO’s language—financial losses.

Thus, when starting a discussion with your CFO, it is crucial to leverage familiar topics to find a middle ground. Cybersecurity is a complex topic for a CFO, as is financial planning for cybersecurity professionals. The goal is for the CEO and CISO to collaboratively consider various factors of the CFO’s recommendations to understand the actual financial implications of costs and losses if a security incident or data breach occurs.

Economic costs

Financial costs can be straightforward, and immediate, as penalties and fines. Then there are the notification costs, which can include necessary fees, charges, and expenses incurred to notify individuals, regulatory bodies, and other parties that require notification of a breach. Then there are cost-related activities as a result of replies to inquiries and other matters of clarification and legal consequences.

Data breach costs might include forensic investigations, with potential outcomes an apology in the form of compensation, a change in procedures, improvement of security safeguards, and/or payment of compensation for loss or damage suffered. In Japan, for example, apology money is paid to affected individuals. All these factors directly and indirectly increase the company’s financial losses following a data breach and should be assessed as part of the total data breach cost.

In the case of a successful cyberattack in general, a business might suffer significant impacts, such as disruption to core systems, corruption of databases, business paralysis, and so on. Traditionally, security incident impacts are classified as financial, reputational, and legal. However, if not quantified, it might lead to a lack of accurate cost visibility.

Additional economic costs include financial losses arising from direct and indirect costs and third-party costs. Besides the immediate disruption, employee overtime, communication costs, direct costs (recovery costs), and share value loss might also arise. There is also the potential loss of customers, loss of sales, and a reduction in profits in the medium timeframe. This might result in a drop in market share, valuation, or a delay in an initial public offering (IPO).

In the case of a successful cyberattack involving ransomware, the organization might face business interruption or operations paralysis, both of which have financial implications.

One of the goals of communicating with the CFO and appealing to them in language that they understand—financial losses—also serves to redirect the mindset they have when it comes to cybersecurity and resilience.

Mindset

There has been an intentional shift in recent years to focus the needs of cybersecurity on the return of value (ROV) or return on objective (ROO). Think about it from the perspective of a nation’s defense strategy. Billions are pumped into military strategies and advanced artillery warfare equipment in a bid to be prepared to fight a war and save as many lives as possible if it ever comes to it. We never hope for war, but we still prepare for it.

This section discusses a new perspective and an innovative approach to the assessment of cyber risk into the financial function. Traditional cybersecurity frameworks did not empower security professionals to lead business discussions and created various challenges for business stakeholders to recognize the value and necessity of cybersecurity. Quantifying plausible financial losses and discussing them in terms of cyber risk scenarios are key factors in facilitating collaboration between security, finance, and ERM. Fortunately, there are questions designed to draw out your CFO’s views and understanding of cyber risk and also challenge them on ways they should take a more active role in advocating for cybersecurity.

 

Questions to ask your CFO

These questions will help facilitate a healthy discussion with your CFO and explore ways they can work more effectively with other executives in addressing your organization’s cyber resilience gaps and uplift program.

  • Have you considered cyber risk as a part of ERM?
  • As a CFO who manages the financial risk within an organization, how can you become a champion of security in the boardroom?
  • How can you shift your starting point from eliminating all risks to narrowing the range of acceptable outcomes?
  • How do you understand the implementation of cybersecurity hygiene? Is it more than just firewalls and authentication?
  • How do you ensure cyber risk quantification and financial optimization?
  • Are you confident that cyber risk needs to be addressed with a balance between mitigation and transfer? Have you considered cash flow management and risk transfer through cyber insurance?
  • How are you working with the CISO and CIO/CTO to adhere to regulatory requirements such as GDPR and PCI-DSS requirements?
  • How much time are you spending with the CISO and CIO to do a business review of the cybersecurity environment?
 

Summary

In this chapter, we addressed that CFOs must recognize that the danger to cybersecurity is constant—attacks continually test the defenses of both big and small firms. CFOs must also consider the possibility they have been already compromised and are unaware of it. A perimeter of defense doesn’t exist anymore, with employees working remotely permanently or more often. This has a significant impact on business exposures and cyber risk.

CFOs and finance executives must consider cybersecurity risks and use it to reframe and reposition cybersecurity management as a strategic business risk. CFOs must assist in risk management by ensuring that an organization has appropriate resources allocated to all categories of risk management, including cyber risk.

Finance plays a critical role in risk assessment and governance throughout an organization. Cyber is one of these risks, but given the potential for monetary loss, it should be one that finance has a significant influence on.

In the next chapter, we will discuss the role of the Chief Risk Officer. This chapter will identify the biggest challenges and misconceptions currently faced when it comes to cyber risk and ERM.

About the Authors
  • Dr. Magda Lilia Chelly

    Dr. Magda Lilia Chelly is an award-winning global cybersecurity leader. She has been named one of the top 20 most influential cybersecurity personalities in 2017 and 2021 by IFSEC Global. Magda has authored her first book called "Light, Shadow and Cyber: Vera's Cyber Adventures." Magda's many appearances discussing cybersecurity on national and international TV, Radio, and News Magazines have raised her profile as the media's go-to expert on cybersecurity subjects. In her career, Magda wore several hats. She has been an Information Security Officer for multiple organizations. She developed businesses in the cyber advisory space. Magda also co-founded a cybersecurity start-up in Singapore Responsible Cyber, valued at 7 Million SGD in 2020.

    Browse publications by this author
  • Shamane Tan

    As one of the most established women in the fields of technology and cybersecurity, Shamane Tan is the Chief Growth Officer at Sekuro, leading the security outreach strategy with the C-Suite and executives. Recognized by IFSEC as a Global Top 20 Cybersecurity Influencer and awarded ASEAN Top 30 Women in Security, the ‘Cyber Risk Leaders’ and 'Cyber Mayday and the Day After' author was also listed in the 40 under 40 Most Influential Asian-Australians.

    Winner of multiple awards including ARN Shining Star (Multinational) 2021 and AiSP Singapore’s Cybersecurity (Professional) award, the TEDx speaker and podcaster is also the founder of Cyber Risk Meetup, an international community and platform for cyber risk executives to exchange learnings.

    Browse publications by this author
  • Hai Tran

    Hai Tran was a Chief Executive Officer with extensive GRC leadership experience across a broad range of industry sectors including higher education, telecommunications, federal government, and law enforcement, including 5 years as the inaugural CISO for Western Australia Police Force.

    He had a pragmatic and business-led approach to security based on the philosophy that security should be an enabler, pervasive and frictionless. Hai held a CISSP, CISM, CISA, Diploma of Policing (Australian Federal Police College), Bachelor of Commerce (University of WA), and Masters of Electronic Commerce (Murdoch University) with a track record of building high performing teams, and embedding security into business processes to enable technology innovation and enhance business performance.

    Browse publications by this author
Building a Cyber Resilient Business
Unlock this book and the full library FREE for 7 days
Start now