CFOs have long been regarded as top strategic priorities for cybersecurity and data privacy as a part of their peers in the C-suite. It’s imperative for CFOs to stay on top of this trend and be ready to do so as regulators adopt a similar approach.
Securities and Exchange Commission (SEC) and Securities and Exchange Bureau (SEC) released amendments to their rules in relation to cyber risk management, strategy, governance, and incident reporting by public companies. Public companies, investors, and market participants face an increasing number of cyber threats and incidents, according to the SEC. During the comment period that ended in early May, the commission received a number of comments indicating that some aspects of the proposal are uncertain and require clarification. There is a good chance that reporting enhancements of some kind will be implemented in some way even though the specifics and timing of the rule have not been decided. It is therefore imperative for companies to evaluate their policies, processes, procedures, and expertise regarding cybersecurity infrastructure, business continuity, and contingency and recovery planning.
Many of the SEC’s amendments, as they are currently being proposed, involve tasks and knowledge that are firmly within the purview of the CFO, such as determining whether cybersecurity incidents reach a level of “materiality,” disclosing cyberattacks and related remediation efforts to investors and other stakeholders, and disclosing risk management policies, third-party risk management practices, the board of directors’ oversight of cybersecurity risks, disclosures regarding risk management policies, third-party risk management procedures, the board of directors’ oversight of Furthermore, because the CEO and CFO of a firm generally sign SEC filings, these disclosures fall under the CFO’s purview as well.
An organization’s information security and data privacy programs are developed and implemented by the chief information security officer (CISO), chief information officer (CIO) and data privacy officer (DPO). While these efforts are a vital part of the strategy, the CFO has a growing influence on their value and alignment with business objectives. Among the cybersecurity-related issues and challenges that organizations face, the CFO’s expertise and viewpoints can be particularly helpful:
- Ransomware: It poses a number of risks, and a CFO is essential to quantifying these risks, approving funding to eliminate those risks-for resources, security consultants, etc. -and answering the difficult question of whether to pay criminals to restore data and unlock company systems. During tabletop exercises, cybersecurity-savvy finance executives proactively raise difficult issues related to ransomware. To ensure that the organization is prepared for all options, they assess the risks and rewards of paying or not paying the ransom and develop and test crypto payment procedures well in advance of an attack.
- Cyber Insurance: In response to a surge of ransomware incidents and other cyber threats, cyber insurance premiums have been increasing while coverage limits are declining since 2019. The limit for a particular coverage limit that was offered by a carrier in 2021 might have been cut in half since then. Insurers are also intensifying their scrutiny of prospective policyholders’ security controls as part of their underwriting and renewal processes. CFOs have an even more important role in determining the cost, coverage and value of cyber insurance policies under these conditions.
- Board Governance: Cybersecurity risks have become increasingly familiar to boards in the last 24 months. Due to these factors, many board members ask detailed questions about organizational cybersecurity and data privacy capabilities. Detection and prevention are no longer boards’ top priorities; resilience is. A director would like to have more information about the investments and mechanisms that assist the organization in responding to and recovering from cybersecurity breaches in a timely and effective manner. There is a need for CFOs to participate actively in this “What do we do if it happens? CFOs’ involvement with board governance is bolstered by this insight, as well as their role as data providers.
- Regulatory Compliance: As the SEC has demonstrated in its recent cybersecurity risk management proposal, regulators want to provide investors with timely information about cybersecurity breaches and the costs associated with occurrences. When the finalized rules are released later this year (and many commenters requested clarity on this point), CFOs will have to develop thresholds for determining when a cyber incident requires material consideration. In the absence of a federal version of the General Data Protection Regulation (GDPR) in the U.S continue to enact state-level privacy laws like the California Consumer Privacy Act (CCPA). Managing compliance with this often-confusing “quilt” of privacy rules is difficult without the help of the CFO and finance function, while balancing those costs with the value derived from data collected and used by the organization.
- Internal Collaboration: CFOs and CISOs have been working closely together in recent years, which is positive. However, CISOs and privacy leaders often do not align their objectives with business strategy, since they discuss their respective strategies independently. When sharing information with the board, CFOs can encourage colleagues to clearly connect their activities to business objectives. Further, CFOs that own a part of the ESG agenda can assist data privacy leaders in organizing their activities and investments to address social responsibility as well as compliance. Furthermore, CFOs can help CISOs, and data privacy leaders consider important governance issues related to protecting customer data, including digital ethics: Are we using and protecting customer data in ways that are transparent and in accordance with what is expected by our customers?
- Third-party Risk Management: Managing cybersecurity and data privacy risks from third parties (and, in the case of suppliers, second- and third-tier suppliers) can be a formidable and complicated challenge for information security and data privacy functions. To ensure procurement teams are balancing pricing priorities and risk management diligence in their sourcing decisions, finance leaders can provide leadership. A CFO can also help procurement teams rank vendors based on different risk tiers, since third-party risk assessments are time-consuming to conduct. A high-risk vendor would undergo a more comprehensive risk assessment than a low-risk vendor.
- Budgets: After a breach or a near miss, budgets for information security and data privacy usually increase. The cybersecurity budgets of organizations tend to regress to mean when they avoid major incidents over time. CISOs contend that receiving the funding necessary to maintain a robust defense is always difficult. In order to address this challenge, CFO-CISO relationships should produce useful spending benchmarks, evaluate the effectiveness of current investment allocations, and quantify cybersecurity risks on both a business and dollar level.
The increase in overall corporate spending over the past few years has resulted in CISOs facing fewer budgeting challenges. There is a possibility that this situation may change in 2023 because of macroeconomic pressures as well as other external volatility. The CFO, CISO, and privacy officer will need to work together even more effectively as a result, even if and when a major security incident does not occur.
CHECK OUT OUR SOCIAL MEDIA CHANNELS
Facebook: Click Here
Instagram: Click Here
Twitter: Click Here
TikTok: Click Here
LinkedIn: Click Here
Other resources you may like: