Cybersecurity threats continue to escalate.
The
growing number, frequency and impact of cyber attacks have propelled
cybersecurity to the top of the CFO and board agendas.
Today’s
cybercriminals are well-funded, organized structures with the patience to
infiltrate a company’s systems over time to obtain the information they desire.
The
infiltrators have gone beyond focusing on credit card details. They have
long-term strategies, which often mean they are targeting to manipulate a
company’s share price, alter a company’s financial data or undertake or
interfere with large-scale financial transactions.
CFOs
fully understand that cyber threats are real. They have seen the financial and
reputational damage victims have faced. And as the world becomes increasingly
digital, the number and severity of these threats will only intensify.
Cybersecurity
is fundamentally about protecting an organization’s shareholder value. CFOs
must play a much greater role.
The first step toward protecting an organization is to realize that attacks are inevitable, It is discovered that most organizations had only a moderate level of cybersecurity maturity. Instead of anticipating threats and preparing for them, organizations continue to react only when an attack has been detected.
Cybersecurity should no longer be viewed as an IT-only issue. While the CIO continues to play a crucial role, in the more mature cybersecurity functions, the CFO and board lead discussions on cyber security as a major exposure in the organization’s overall risk management framework. (Read how the CFO and CIO can partner to address cybersecurity.)
The need for a proactive, board-level approach
As businesses become more digital, new avenues of access for cyber
criminals to organizations’ assets are being created. Operational technology,
for example, represents a major risk that is too often overlooked at the board
level.
Operational technology is
not traditional IT software and hardware. It is the systems that underpin
operations in many companies, such as those that deliver electricity, move oil
and gas or operate assembly lines in some industries.
These systems often aren’t
managed by IT. However, as more devices become connected, the “Internet of
Things” has become a major source of risk. The CFO needs to weave operational
technology, and other emerging avenues of entry, into the company’s risk
management processes
A better approach is to grasp the gravity of the situation – and the speed at which it happens – and work with the board and IT function to define a mature cybersecurity function that protects the company’s key assets and can evolve with time. The CFO should then invest to fill the gap between where the company is now and where it should be. Moving forward, the focus should shift from detection to prevention.
Creating a mature cybersecurity function starts with a detailed understanding of the organization’s key assets. The CFO needs to be part of the team that decides what those primary assets – or crown jewels – are, recognizing that they will change over time.
Several questions will help organizations identify their primary assets:
- What assets would hurt the organization’s day-to-day operations if lost?
- What assets would result in a loss of consumer confidence if breached?
- What assets would cause grave reputational harm and dilute shareholder value, if compromised?To help create an effective road map to a mature cybersecurity function, CFOs can ask several key questions right now:
- What is our overall risk tolerance?
- What is my organization’s current exposure to cyber
risk?
- How does our preparedness compare to our competitors?
- Is our cyber risk exposure consistent with our risk
tolerance?
- Are there adequate processes in place to prevent,
detect, contain and respond to a cyber attack?
- Do we have a plan for how we will respond to a cyber
attack?
- Have we tested the plan thoroughly so there is no time
delay when the breach occurs?
In
today’s 24/7 media cycle, global organizations need a thoroughly tested cyber-attack
plan that prepares the company to respond no matter where or when the breach
occurs. Communication to the media and investors is absolutely critical in the
wake of a breach, because it may sway the media and the market’s response,
which can impact share price.
Having
a well-planned response as part of the cybersecurity strategy helps give peace
of mind to investors and the board of directors and helps the company better
control the outcome.
CFOs
need to collaborate with their CIO, the board and cybersecurity experts to be
prepared for the first signs of a breach. The plan should include:
- Regulatory relations
- Media relations
- Investor relations
- IT
- Risk
Banking and capital markets: prime targets
All
sectors are at risk from cyber attacks. Banking and capital markets, for example,
are exposed for two reasons:
1.
Their most precious assets are
mostly electronic.
2.
They are information organizations
with huge volumes of transactions and communications that are vulnerable to
infiltration.
Banking is a highly regulated industry. The requirements relating to how companies protect the data in their possession is forever tightening in the name of security. That means that in addition to the inherent financial and reputational risks, there are criminal risks for noncompliance.
The good news is that financial services CFOs are ahead of their peers in other industries when it comes to managing who has access to sensitive data. But the volume of transactions and global reach of today’s consumers and suppliers also makes it easy for cybercriminals to hide the evidence of their attacks. To create and continually update a cybersecurity system that is more sophisticated than the ones the hackers are using, management needs to fully understand the bank’s workflow through the back, middle and front offices.
While banking and capital markets will always be vulnerable to attacks, acquisitions can render them particularly vulnerable. The only way companies in these industries can identify threats before the damage exposed during an acquisition is too great is by applying data analytics that detect anomalies in the way employees, suppliers and customers behave.
Banking is a highly regulated industry. The requirements relating to how companies protect the data in their possession is forever tightening in the name of security. That means that in addition to the inherent financial and reputational risks, there are criminal risks for noncompliance.
The good news is that financial services CFOs are ahead of their peers in other industries when it comes to managing who has access to sensitive data. But the volume of transactions and global reach of today’s consumers and suppliers also makes it easy for cybercriminals to hide the evidence of their attacks. To create and continually update a cybersecurity system that is more sophisticated than the ones the hackers are using, management needs to fully understand the bank’s workflow through the back, middle and front offices.
While banking and capital markets will always be vulnerable to attacks, acquisitions can render them particularly vulnerable. The only way companies in these industries can identify threats before the damage exposed during an acquisition is too great is by applying data analytics that detect anomalies in the way employees, suppliers and customers behave.
Comments
Post a Comment