The Business Case for the CFO to be Responsible for Cyber Security
As the threat of cyber attacks and cyber risk continues to increase, I foresee CFOs across the world learning, adapting and building competency to successfully address this critical challenge.
Cyber security wasn’t in the business lexicon until the 21st Century began. Today, cyber security is at the top of the list at company board meetings and is a daily recurring nightmare for chief executive officers and chief financial officers.
Many companies have decided to put their chief financial officer CFO in charge of cyber security. It is a risk that requires management, and a successful business case can be made for putting this person in charge of computer system security.
The computer environment creates new complexity in the world of business. This complexity arises from:
Changes in one area may create new challenges for others, making the need for a collaborative, strategic, and business-wide approach to cyber security necessity. Moreover, even in entities where computer security is robust and rigorously kept up-to-date, ongoing dependencies on supply-chain partners along with third-party service providers create exposures beyond the company’s direct control. In most organizations, the Chief Information Officer (CIO) assumes the mantle of security guru by default, but, now is the time to reevaluate that position.
Why the Need for CFO Involvement in Cyber Security?
One of the jobs performed by the CFO is risk management. This is evidenced by the Board of Director’s reliance on his or her opinion in mergers and acquisitions, investments, long-range planning, insurance, and other things that carry significant financial risk. The risk of a data breach is another one that can result in an inordinate unplanned expense. According to the 2015 Cost of Data Breach by IBM and the Pokemon Institute pegs the average cost of a data breach at $3.79 million. For some companies, particularly in the health care sector fines for HIPAA violations can run to the millions of dollars plus the cost of corrective action, defending against class-action lawsuits, and paying for one-year or more of identity theft protection for all people potentially touched by the breach. Other costs that are harder to calculate include loss of reputation and loss of customer confidence. These things can quickly run the expenses of a violation to a height many businesses cannot sustain – they go bankrupt within two years of the violation event.
“It’s definitely on the radar, like every other risk it falls on the CFO to be the guardian of the risks and risk mitigation.”
Steffan Tomlinson CFO of Palo Alto Networks agrees, he recently told Forbes:
“As the threat of cyber attacks and cyber risk continues to increase, I foresee CFOs across the world learning, adapting and building competency to successfully address this critical challenge. There are many creative approaches I have witnessed CFOs employ to build their skill in cyber security, but the one that most commonly stands out is when the CFO views cybersecurity through the lens of Enterprise Risk Management [ERM].”