The CFO’s understanding of cybersecurity

Shamane Tan, chief growth officer at Sekuro and founder of Cyber Risk Meetup, a global community for prolific cybersecurity conversations and exchanges, and co-author of this book, commented on a discussion with the CFOs that she was involved in: “Even amongst the CFOs, they recall that the conversation about cybersecurity only started to come up a decade ago when the insurers asked corporate CFOs what the company was doing about cybersecurity.”

When insurers began asking about cybersecurity over ten years ago, it was likely one of the first times CFOs would have heard about cybersecurity. It’s worth noting that these first conversations did not begin within an organization but were driven by those asking from outside the organization. Within an organization, it has not been a concern generally. Magda (co-author of this book) had a CFO mention to her that he trusted his security team and so wasn’t going to purchase cyber insurance.

With the increase in cyber risk and inevitability of cyberattacks, it is critical to understand that foolproof security does not exist. Within such a complex and interconnected environment, cybercriminals nowadays can find weaknesses within people, processes, and technology. A cyberattack can also happen through a supplier or vendor. It is just a matter of time.

A group of hackers known as “London Blue” targeted more than 50,000 finance executives, including 35,000 CFOs, with bogus requests to transfer money. The scams were estimated in an Agari report (https://www.agari.com/cyber-intelligence-research/whitepapers/london-blue-report.pdf) to have caused hundreds of thousands of dollars in damage. CFOs and the finance executives within an organization are not immune to being targeted and are not necessarily cyber-savvy to such scams. That must change.

In today’s world, insurers take cyber risks into consideration and provide cyber insurance to organizations as a risk transfer option. This requires risk profiling of a company. Cyber insurance helps CFOs to become cyber aware and requires a shift in their perception of cyber risk. This switch in mindset also correlates directly with both the frequency and the cost of cyberattacks. As a result, cybersecurity is now formed as part of the risk register.

Nevertheless, for CFOs, understanding cyber risks and cybersecurity as a whole can be a lengthy and frustrating process. Cybersecurity is complex, the solutions not always enough to mitigate risk, and confusing technical jargon are just a few of the reasons CFOs find it challenging. Your organization might have cybersecurity hardware and software to protect your business against cyberattacks. However, it only takes one weakness to incur financial losses.

People, processes, and technology are not immune to cyber threats. Specific to the finance team, phishing, social engineering, and Business Email Compromise (BEC) have been some of the most common cybercrimes. The FBI’s Internet Crime Complaint Center (ICCC) cybercrime report found BEC schemes to be the costliest of all cybercrimes, leading to losses of approximately $1.8 billion in 2020 alone.

A good example is an employee processing the payment of a fake vendor invoice, which can lead to the misdirection of tens of thousands or even hundreds of thousands of dollars. Those social engineering cyberattacks work by targeting humans and processes. This type of cybercrime has increased in recent years, and while some companies have addressed this cyber risk to prevent financial fraud/loss, others continue with their traditional approach and ignore critical cybersecurity pillars, people, and processes. “It can’t happen to us” remains the pervasive perspective.

Importantly, a CFO is not required to learn technical cybersecurity concepts. But they do need to consider cyber risks that might materialize from a weakness in people, processes, or technology. Understanding and communicating that foolproof security does not exist is among the first steps, along with increasing the budget to help address strategic initiatives. Further, it requires continuous support and the company’s readiness to respond when an attack happens.

It is also worth noting that when it comes to cyber insurance, not every single cyber event will be covered, which means that companies will not be able to transfer all of their risk through insurance. Take, for instance, a ransomware attack—insurance companies now deny insurance payouts for ransomware payments.

Yet ransomware attacks are only one cyber risk to a company. The following section outlines key aspects of cybersecurity that are helpful for CFOs to consider.