Along with their peers in the C-suite, CFOs have treated cybersecurity and data privacy as top strategic priorities for several years. Increasingly, regulators are embracing a similar approach and CFOs need to take note and be ready.
Earlier this year, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. The SEC’s view is that cybersecurity threats and incidents pose an increasing, ongoing threat to public companies, investors and market participants. As evidenced by the feedback received by the commission during the comment period ended in early May, some aspects of the proposal are not without controversy and require additional clarity for preparers. While the specifics and timing of the actual rule have yet to be finalized, it is a smart bet that reporting enhancements of some kind are forthcoming. Therefore, it behooves companies to evaluate their cybersecurity infrastructure policies, processes and procedures as well as the expertise and business continuity, contingency and recovery plans they have in place.
Many of the SEC’s amendments, as currently proposed, involve activities and expertise that fall squarely within the CFO’s wheelhouse, including determinations of whether cybersecurity incidents rise to a level of “materiality;” reporting of cyberattacks and related remediation efforts to investors and other stakeholders; and disclosures concerning risk management policies, third-party risk management procedures, the board of directors’ oversight of cybersecurity risks, and management’s role in assessing and managing these risks. Furthermore, given that SEC filings are typically signed by a company’s CEO and CFO, these disclosures fall under the CFO’s pen, in addition to the CFO’s wheelhouse.
The chief information security officer (CISO), chief information officer (CIO) and data privacy officer are responsible for developing and executing the organization’s information security and data privacy programs. Yet, the CFO’s input and involvement has a growing influence on the value contributed of these efforts and ensuring these capabilities align with the business strategy. The CFO’s expertise and viewpoints are especially needed and valuable as organizations address the following cybersecurity-related issues and challenges:
- Ransomware: CFOs play a pivotal role in quantifying the risks associated with ransomware, approving funding—for resources, security consultants, etc.—that enables organizations to respond to these attacks quickly and cost-effectively, and helping answer the thorny question of whether to pay criminals to unlock company systems and/or restore data. Cyber-savvy finance executives proactively raise and address difficult ransomware issues during tabletop exercises. They evaluate the risks and rewards of the pay-or-don’t-pay question, establish decision-making criteria, and, to ensure the organization is prepared for all options, develop and test crypto payment procedures well before a ransom attack occurs.
- Cyber insurance: Cyber insurance premiums continue to rise while coverage limits decrease in a market that has been hardening since 2019 in response to a surge of ransomware incidents and other cyber threats. A carrier that offered $10 million for a specific coverage limit in 2021 may have since cut that limit in half. Underwriting and renewal processes also have grown more involved and burdensome as insurers intensify their scrutiny of a prospective policyholder’s security controls. These conditions make the CFO’s input on the cost, coverage and value of cyber insurance policies even more important.
- Board governance: Boards have become significantly more knowledgeable regarding cybersecurity risks, particularly over the past 24 months. As a result, many board members ask more detailed questions about organizational cybersecurity and data privacy capabilities. We’ve observed more boards shift their focus from detection and prevention to resilience. Directors want more detailed information concerning the investments and mechanisms that help the organization respond to, and recover from, cybersecurity breaches quickly and effectively. CFOs should be an active contributor to this “what do we do when it happens” conversation in the boardroom. This insight, in addition to the CFO’s increasing role as the purveyor of data to boards, cements the CFO’s impact with board governance.
- Regulatory compliance: The SEC’s recent cybersecurity risk management proposal shows that regulators want investors to have timely access to more information concerning cybersecurity breaches and the cost of those incidents. Once these rules are finalized later this year (and this is an area in which many commenters requested the need for clarity), CFOs likely will need to develop thresholds for determining when a cyber incident should be considered material. On the data privacy front, more states continue to enact regulations similar to the California Consumer Privacy Act (CCPA) in the absence of a U.S. federal version of the EU’s General Data Protection Regulation (GDPR). Information security teams need help from their CFOs and finance functions to define the most cost-efficient approach to complying with this often-confusing “quilt” of privacy rules while balancing those costs against the value derived from data the organization collects and uses.
- Internal collaboration: In recent years, CFOs’ relationships with CISOs and data privacy leaders generally have grown much more collaborative, which is good news. That said, CISOs and privacy leaders still tend to discuss their respective strategies in isolation—without aligning their objectives with business strategy. CFOs can help their colleagues by encouraging them to clearly connect their activities to business objectives, especially when sharing information with the board. In addition, CFOs that own part of the ESG agenda can help data privacy leaders frame their activities and investments in ways that extend beyond compliance to address, for example, social responsibility. Finally, protecting customer data raises important governance questions, including those related to digital ethics, that CFOs can help CISOs and data privacy leaders consider: Are we using and protecting customer data in ways that are transparent and in harmony with what our customers expect of us?
- Third-party risk management: The CFO’s risk management expertise and—in most cases—ownership of the procurement function can help information security and data privacy functions address the formidable and complicated challenge of managing third-party (and, in the case of suppliers, second- and third-tier suppliers) cybersecurity and data privacy risks. Specifically, finance leaders can ensure procurement teams balance pricing priorities and risk management diligence in their sourcing decisions. Given that third-party risk assessments can be time-consuming to perform, CFOs also can help procurement teams rank vendors according to different risk tiers: Vendors in a high-risk category would undergo more comprehensive risk assessments compared to third parties in a low-risk tier.
- Budgets: Information security and data privacy budgets tend to swell following a breach or a near miss. Conversely, when organizations steer clear of major incidents over time, cybersecurity budgets tend to regress to the mean. That said, many CISOs would assert that it’s always difficult to get the funding they need to sustain stout defenses. Effective CFO-CISO relationships address this challenge by producing useful industry spending benchmarks, evaluating the efficacy of current investment allocations, and quantifying cybersecurity risks in both business and dollar terms.
Over the past few years, many CISOs were happy to encounter less difficulty having their budgeting requests fulfilled as overall corporate spending increased. That may change in 2023, as macroeconomic pressures and other external volatility may spur more organizations to tighten their belts. If and when that occurs, the CFO, CISO and data privacy officer will need to collaborate even more effectively to ensure that data security and privacy priorities are funded and executed, even in the fortunate absence of a major security breach.
This article originally appeared on Forbes CFO Network.