Communicating with the CFO about cyber risks
Shamane explains, “Language is important. Traditionally, the CFO has always been familiar with ROI. However, it can be a challenge for many to quantify the return on investment in cybersecurity.”
Often, cybersecurity is under the surface, not recognizable or acknowledged, but protecting the company from cyber threats. There could be all this activity going on, but the CFO may not see any positives from it, as they are not aware of how many incidents were avoided or how many near misses there were. The CFO sees it for what the tools cost the company, not what it has saved the company.
As many CFOs have shared with Shamane, “you can usually measure the cost to the organization after an attack, but if the company has not been compromised, how would one know what cost has been saved?”
So how do others in an organization assess cybersecurity threats and needs? Measurements such as lead and lag indicators can be helpful in assessing this. Your lag indicators are your after-the-fact financial fines and the cost of responding to an incident that can be seen, for which we have available quantifiable measures.
Lead indicators, on the other hand, involve the use of loss-curve projections or Factor Analysis of Information Risk (FAIR), which falls within the “traditional” risk calculation of likelihood and impact. FAIR is a known quantitative model for information security and operational risk. FAIR offers a paradigm for understanding, assessing, and measuring cyber and operational risks in financial terms.
The good news is innovative quantification methods are emerging. One way to quantify cyber risk—developing a cyber-specific loss curve—can help companies develop a meaningful capital risk framework for cyber and answer those difficult questions, including ROI. Additionally, scenario building can be used to understand the consequences of cyberattacks and ensure accurate modeling for cyber risk quantification.
Moving from qualitative to quantitative frameworks for cyber risk is a journey in itself. However, quantitating the risk provides the ground for a better discussion with your CFO. It takes practice and a different perspective, but it’s considerably more successful in gaining comprehension and keeping your CFO’s attention on the topic.
Magda has long practiced cyber risk quantification and firmly believes it empowers security professionals to communicate efficiently with business stakeholders and align cybersecurity strategies with business goals. After all, assessment is only one element. It must be presented to the CFO. In doing so, avoiding technical cybersecurity language when discussing or giving advice to the CFO, who doesn’t have a background of cybersecurity expertise, is critical to guarantee they understand cyber risks and can take part in a discussion. Therefore, the facts must be delivered in a language they can comprehend for them to confidently understand the topic and especially the requests, if any. This is where cyber risk quantification is used. It aligns with the CFO’s language—financial losses.
Thus, when starting a discussion with your CFO, it is crucial to leverage familiar topics to find a middle ground. Cybersecurity is a complex topic for a CFO, as is financial planning for cybersecurity professionals. The goal is for the CEO and CISO to collaboratively consider various factors of the CFO’s recommendations to understand the actual financial implications of costs and losses if a security incident or data breach occurs.
Economic costs
Financial costs can be straightforward, and immediate, as penalties and fines. Then there are the notification costs, which can include necessary fees, charges, and expenses incurred to notify individuals, regulatory bodies, and other parties that require notification of a breach. Then there are cost-related activities as a result of replies to inquiries and other matters of clarification and legal consequences.
Data breach costs might include forensic investigations, with potential outcomes an apology in the form of compensation, a change in procedures, improvement of security safeguards, and/or payment of compensation for loss or damage suffered. In Japan, for example, apology money is paid to affected individuals. All these factors directly and indirectly increase the company’s financial losses following a data breach and should be assessed as part of the total data breach cost.
In the case of a successful cyberattack in general, a business might suffer significant impacts, such as disruption to core systems, corruption of databases, business paralysis, and so on. Traditionally, security incident impacts are classified as financial, reputational, and legal. However, if not quantified, it might lead to a lack of accurate cost visibility.
Additional economic costs include financial losses arising from direct and indirect costs and third-party costs. Besides the immediate disruption, employee overtime, communication costs, direct costs (recovery costs), and share value loss might also arise. There is also the potential loss of customers, loss of sales, and a reduction in profits in the medium timeframe. This might result in a drop in market share, valuation, or a delay in an initial public offering (IPO).
In the case of a successful cyberattack involving ransomware, the organization might face business interruption or operations paralysis, both of which have financial implications.
One of the goals of communicating with the CFO and appealing to them in language that they understand—financial losses—also serves to redirect the mindset they have when it comes to cybersecurity and resilience.
Mindset
There has been an intentional shift in recent years to focus the needs of cybersecurity on the return of value (ROV) or return on objective (ROO). Think about it from the perspective of a nation’s defense strategy. Billions are pumped into military strategies and advanced artillery warfare equipment in a bid to be prepared to fight a war and save as many lives as possible if it ever comes to it. We never hope for war, but we still prepare for it.
This section discusses a new perspective and an innovative approach to the assessment of cyber risk into the financial function. Traditional cybersecurity frameworks did not empower security professionals to lead business discussions and created various challenges for business stakeholders to recognize the value and necessity of cybersecurity. Quantifying plausible financial losses and discussing them in terms of cyber risk scenarios are key factors in facilitating collaboration between security, finance, and ERM. Fortunately, there are questions designed to draw out your CFO’s views and understanding of cyber risk and also challenge them on ways they should take a more active role in advocating for cybersecurity.