As we continue in our series, Top Middle Market CFO Challenges for 2017, the growing threat of cybercrime is becoming top of mind for today’s CFOs. Cyberattacks are on the rise. In 2016, the number of US data breaches increased 40%—an all-time record high according to the Identity Theft Resource Center.
It may be easy to assume that the responsibility for addressing cyber risks rests with your IT department, because after all, these appear to be mostly IT-related risks. However, what may be less obvious are the very significant financial risks involved with a cyber breach. This should be keeping most CFOs up at night. Cyber risks can be divided into two main arenas—the technology component (hardware and software settings, system configuration) and the policies, procedures and internal controls which dictate how those technology components are used. While most CFOs won’t need to know their network architecture, it is critical in today’s environment that they understand, oversee and manage the overall threat exposure to their company.
There are several common cyber risks which could have a material, adverse impact on financial operations that CFOs should have on their radar:
- Business Operations – Once a hacker accesses a company’s network, they could gain control of everything that is attached to that network. Most business people think about their production or financial systems as being at risk. But your networked printers, scanners and copiers can also be accessed. These devices are part of the Internet of Things (IoT). If they are not properly secured, they could provide an access point for hackers to gain entry into your network. Other IoT devices that can provide a window to hackers are control systems such as thermostats, door locks and safety monitors. These can be breached, manipulated or shut down completely. Imagine the financial repercussions of losing a day’s production, or even worse, having all safety systems turned off. In addition to bottom line revenue losses, your organization could face fines, lawsuits from customers or employees as well as adverse publicity which could damage your brand and customer loyalty. These all could inflict long term damages to an organization.
- Trade Secrets – Any information maintained on a computer network is at risk. Why do you think Coke keeps its secret formula in a vault? It’s one part corporate culture and history and one part good internal control. By no means am I advocating the return to 18-column ledger paper, but any trade secret, business strategy, or confidential plan should be well protected due to the potential business risk.
- Customer and Employee Information – Companies maintain massive amounts of employee and customer information. Industries such as healthcare and financial institutions have specific regulations governing information security and privacy. Violating these regulations can result in millions of dollars of fines and penalties. Even in less regulated industries, there are state and federal laws governing disclosure of private information such as addresses and social security numbers. Just recently, Boeing fell victim to a breach that compromised 36,000 employees' personal information. This occurred after a Boeing employee sent an unencrypted file to their spouse to help with formatting issues. Boeing has to notify each impacted employee, make a public announcement and pay for credit monitoring for those employees for two years. If Boeing uses a lower cost monitoring service, the cost of monitoring services alone will total over $4 million.
- Mergers and Acquisitions – A cyber breach cost Yahoo shareholders $350 million in the upcoming transaction with Verizon. If your company is anticipating a transaction, it’s especially important to ensure your cyber position is robust. And if you are seeking to acquire a company, one of the first due diligence questions asked should be around IT security and cyber risks. The worst surprise in an acquisition is to inherit unknown liabilities for fines and penalties due to a past breach.
Every company is at risk for a cyber breach and the resulting potential fines, penalties and brand damage. While the IT department is the first line of defense, it is incumbent on CFO to be aware of the risks and take an active role in monitoring the company’s security posture. Developing and engaging around the appropriate IT policies and internal controls now can help mitigate significant financial risk in the long run.
We work with our client organizations to help them become more cyber resilient. We take an offensive approach and work with you to uncover vulnerabilities and give you a plan for better protecting the organization from cybercrime.
We recommend our clients undergo an IT Governance, Risk, and Compliance (GRC) review. This type of review enhances executive understanding of the cyber risks facing their organization to enable informed decision making around their cybersecurity strategy while also strengthening their value-driven regulatory compliance efforts. Additionally, an IT GRC review will help prevent a cyber breach from occurring and will mitigate the potential damage from a breach.
If you would like to learn more about how we can help build your organization’s cyber resilience, contact us.
For weekly insights into enterprise, please sign up here:
Leave A Comment