16.5 crores. That was the average cost of a data breach in India in 2021. Now, cybersecurity might not sound very interesting but it has become critical for large corporations and small startups. Technology has become more than a supplement to a company’s operations and might as well be their core product. This makes the stakes much higher. Especially for companies with higher innovation as they face costlier attacks. This is compounded by the fact that cyberattacks have become commonplace due to increased mobile and internet usage. Cyber attacks are also growing more sophisticated. Phishing attacks that used to be easily identifiable now seem genuine and are 6 times more likely to be opened than regular consumer marketing emails.
C-Suit executives, including the CFOs, have treated cybersecurity and data privacy as a top priority for the past several years. Now the regulators are also adopting a similar approach and several data protection laws around the world include cybersecurity risk management rules for public companies. In the US, the Security and Exchange Commission (SEC) has proposed rules for strategy, governance, and incident reporting by public companies. In India, Cyber incidents are reported in accordance with the CERT-in Directions. Though they do not require companies to make these incident reports available to the public/investors whose data is breached, this may change after India’s data protection bill is passed. Global trends indicate a heavier compliance burden on companies handling consumer data. CFOs have a growing role in cybersecurity and data privacy and it has become crucial for them to be aware and ready for the challenges ahead of them.
7 Cyber Security and Data Privacy Challenges for CFOs
The Chief Information Security Officer (CISO) and Chief Information Officer (CIO) are primarily responsible for developing and implementing an organization’s cyber security and data privacy measures but the CFOs input ensures these capabilities align with the business strategy. CFOs inputs are valuable when an organization is tackling the following challenges and issues:
CFOs have to determine the cost of a cyber incident to an organization. With countries passing their data protection regulations like the GDPR, CCPA, the information security team also requires them to find the most cost-effective way to deal with the web of data protection regulations around the world to balance these costs against the value derived from the data.
- Third-party risk management
The CFOs risk management expertise and hold over the procurement function can help the information security and data privacy teams in addressing challenges related to third-party cybersecurity and data privacy risks. If a third party gets hacked, your company risks compromising valuable data. A 2013 study shows that 63% data breaches happened through third party components. Therefore, the CFOs can work to balance the pricing priorities and risk management in sourcing decisions. Since third party risk assessment are a time-consuming activity, CFOs can rank vendors in different risk tiers. With vendors with high-risk undergoing a comprehensive risk assessment compared to ones with low-risk.
In recent years, boards have become more knowledgeable about cybersecurity risks and ask much more comprehensive questions about organization cybersecurity and data privacy capabilities. Instead of just detection and prevention, the boards are shifting their attention to investments and mechanisms that might help them respond to and recover from cyberattacks quickly and effectively. They want the CFOs to be an active part in the “what happens when” conversation about cybersecurity and given they play an active role in the the funding of such measures, makes the CFOs “purveyor” of dat to boards.
CFOs play an important role when dealing with the threat ransomware poses. They have to analyse the risk and approve funding for security consultants that help the organistions to respond to such attacks effectively. They also have to make decisions of pay-or-don’t-pay questions, make sure the organisation is well equipped to deal with such threats and testing crypto payment procedures when an attack occurs. The need for CFOs being on top of such issues, is only compunded by the fact that cyber criminals have become much more sophisticated with their attacks. Anyone, even with poor coding skills, can now launch cyber attacks using Ransom-as-a-Service products which are softwares designed by experts and freeze the computer files till the demand for ransoms are met.
The number of companies buying cyber insurance has been on the rise for years. A reason for this upsurge is the increased risk of data breaches and ransoms going into millions. Even though the premiums keep rising, due to increase in threat perception and reported calims, companies across sectors are buying cyber insurance. Though due to higher loss ratio, insurers have begun imposing exposure limits and ransomware related coverage. All this makes the CFOs viewpoint on the cost, coverage and value of cyber insurance all the more important.
Collaboration has been growing between the CFOs, CISOs and other data privacy leaders in organinsations. Though they still develop their strategies in isolation, which may cause a deviation from the objectives of business strategies leaving room for further collaboration. CFOs can encourage colleagues in connecting their activities with the business strategy and even direct the ESG agenda to frame their investment activities in ways that not only help meet compliance but also work for social responsibilty and protecting consumers data and using it with transparency.
Information security and data privacy can be a costly affair. The budget tends to increase or decrease based on perceived threats and actual attacks. An effective CFO-CISO relationship can help an organisation in evaluation of industry benchmarks, their own resource allocation and quantifying cyberattacks in monetary terms.
With the increasing cyber threats, costs of handling data breaches, and several jurisdictions passing their data protection laws, it has become imperative for CFOs to take an active part in the data protection and privacy enhancement of their organisations. They should actively collaborate with data privacy leaders to create and execute effective and well funded privacy programs and play an active role in creating awareness within the organisation for better compliance. If organisations already have an effective plan in place, they may not have to face difficulties down the line.