In our extensive work transforming and supporting the Office of the CFO at CrossCountry Consulting, we sometimes ask a chief financial officer (CFO) or their direct team questions about cyber: ‘Hey, how are you thinking about cybersecurity?,’ ‘What’s your formal role in cybersecurity at your company?,’ ‘Do you have a sense of how the company is addressing cyber risks, allocating cyber spend, and managing cyber-related external relationships (e.g., with regulators)?’
Sometimes, the Office of the CFO (OCFO) team impressively summarizes the company’s cyber posture or talks about frequent OCFO-CISO collaboration. But usually, the response is vague – suggesting that many OCFO teams remain far removed from the company’s cybersecurity agenda and cyber leaders.
While this distance between the OCFO and the CISO (or another responsible cyber leader) is unsurprising, we believe it must be closed quickly. But why does cybersecurity matter to the CFO agenda? Here are five central reasons:
1. Cyber is a Corporate Leadership Competency
Cyber is now a C-level management concern. Cyber risk management, program effectiveness and regulatory compliance are getting more attention in executive and Board meetings. As senior corporate leaders, CFOs are now regularly exposed to cyber – and increasingly expected to interpret cyber information and provide a point of view on cyber decisions.
This, in turn, requires a solid working knowledge of cybersecurity. Think conversational versus fluent, but enough to demonstrate basic comprehension, ask probing questions of the company’s cyber experts, communicate high-level cyber messages and understand the corporation-wide implications of cyber-related decisions. CFOs need not be expert practitioners, but having a working knowledge level of cyber is quickly becoming the norm.
2. Cyber-Attack Costs Are Massive – and Material
The average cost of a cyber breach is now multiple millions – and for large enterprise corporations, the all-in cost of a cyber-attack can run into the 10s or even hundreds of millions of dollars. As the financial stewards of the corporation, CFOs need to appreciate the total cost of cyber-attacks: lost revenue if systems, processes and technologies are taken offline; lost customers if data breaches become public and trust erodes; fines issued by regulators; payments due to investigators and insurers; and longer-term costs like paying for customer identity monitoring or class action lawsuits.
OCFO teams should be working with the CISO, chief risk officer and others to quantify and model potential losses due to cyber-attacks and understand the potential implications for the company’s top and bottom lines.
3. Cyber Spending Must Be Managed and Measured
On the flip side, CFOs should also dig into cybersecurity budgeting and spending. CISOs – usually appropriately – are asking for ever-larger cyber budgets to keep pace with more voluminous and sophisticated threats. But CFOs should be asking thoughtful questions that help the CISO team articulate return on cyber investment, measure the effectiveness of cyber spending and report on year-over-year security posture improvements that are traceable to specific budget line items. Part of this is digging into the benefits and costs of in-house versus outsourced (managed security services or other third party) cybersecurity – the right balance will vary from company to company.
Finally, CFOs should be helping to ensure that cybersecurity is part of budgeting for any major technology-centric or technology-enabled project at the company: it is far more cost-effective to ‘bake in’ security to these technology transformations versus ‘bolting it on’ later.
4. Cyber Regulators Keep Coming
CFOs are often responsible or deeply involved in key regulatory reporting – especially with agencies like the U.S. Securities and Exchange Commission (SEC). Now, as those agencies look to set strict cybersecurity disclosure rules, the OCFO interaction with regulators is likely to include cyber. While CFOs aren’t likely to be the accountable internal leaders for ensuring cyber regulatory compliance, they could be signing off on disclosure forms and other reports that provide an official company position on cybersecurity posture.
Not to mention that cyber incidents, if a company experiences one – and even just overall cybersecurity strategy – are becoming topics of interest on earnings calls and can be highly consequential to investors. CFOs must always be ready to address regulators, investors, customers and the general public’s cybersecurity questions.
5. CFOs Oversee Lucrative Crown Jewels
Perhaps the most important point is also the most forgotten: the OCFO possesses some of the most valuable data inside a corporation. Budgets and investment plans, M&A analyses, long-range strategies, and pre-public financial results are vital company data – ‘crown jewels’ – that are attractive targets for cyber threats.
Similarly, CFO teams often operate or oversee critical finance-related systems and processes, from accounting to payment processing. The technologies enabling these functions are increasingly outsourced and cloud-based, creating new cyber risks. Ensuring these systems and the underlying technology are cyber-secure is critical for the corporation. Losing, even temporarily, integrity over accounting data or the ability to process vendor payments can have significant negative financial outcomes.
Against this backdrop, there is a growing imperative for CFOs and OCFO teams to increase their cyber acumen, dig deeper into the cyber posture of the corporation, and fundamentally close the distance between the OCFO and CISO teams. This isn’t about putting more work on the CFO’s plate – cyber is not a core competency for finance. It is, though, about ensuring the CFO is conversant in cyber and that the critical business assets the OCFO holds are as cyber-secure as the rest of the corporation.