With cyber risks looming ever larger, CFOs must avoid “starving” information technology security budgets, the author of a recently released survey concerning cybersecurity and corporate governance warns.
“When you start looking at why [a] company had a weak security program, it usually comes down to allocation of resources,” says Jody Westby, the chief executive officer of Global Cyber Risk, a consulting firm. “The CFO should be very concerned, because often it’s the security programs that have been starved for cash.”
Nevertheless, complaints about malfunctioning computer security departments seldom rise to the level of the finance chief because IT safety employees often report to chief information officers, who in turn report to CFOs, according to Westby, who authored the report, which was sponsored by the Georgia Tech Information Security Center.
Problems with CIOs reporting to CFOs arise when cost-obsessed finance chiefs are prone to automatically nix every project. “Then the security program can be starved, and it increases risk to the company. But if you have a CFO who really tries to understand the cyber risk and tries to insure there is adequate funding — within reason — then that is a very good person [for the CIO] to report to,” she says. “So a lot depends on the mindset of the CFO.”
Finance chiefs, however, need to understand information security programs and the material and human resources they require and analyze that information as part of the company’s annual budget review “no matter what the chain or reporting is, according to Westby. “If a security team is starved for funding, that always comes back to the CFO.”
What’s more, finance chiefs are often doubly exposed in that they serve as corporate directors in addition to being company officers, she noted. And they very well may find themselves in the firing line of politicians probing the causes of a prominent cyber attack. Although he is still serving as Target’s CFO, John J. Mulligan was grilled at a U.S. Senate hearing last year on the company’s effort to prevent data breaches in the wake of the massive break-in of the retailer’s systems in late 2013.
The recent rise in legal risks related to cyber attacks has helped spur a surge in board involvement in managing the exposure, according to Westby. Indeed, her survey, which culled 121 responses from board members or senior executives at Forbes Global 2000 companies, revealed that nearly 63% of boards “are actively addressing and governing computer and information security,” according to the report.
In contrast, only 33% were doing so in 2012 and 39% were in 2010, according to previous surveys covering those years. (Forty-six percent of the respondents to the 2015 survey were CFOs, while 34% were were chief executive officers or presidents, and 12% were board chairs.)
Westby also found that boards were more actively engaging in such cyber-related functions as risk management and vendor management. (Click on graph below.)
The December 2013 Target breach focused attention on directors’ and officers’ responsibility for cybersecurity, Westby noted in her report. After the hack, the board fired the company’s chairman, CEO, and president, Gregg Steinhafel, and Institutional Shareholder Services, the prominent proxy advisory firm, called for the ouster of seven out of 10 Target board members for failing to act to protect the company’s data and its systems. (The board members were re-elected.)
In terms of new cyber legal liability, the Seventh Circuit Court of Appeals recently reinstated a class-action lawsuit related to a breach against Neiman Marcus. “[T]he Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objective reasonable likelihood’ that such an injury will occur,” according to Chief Judge John Wood.
The decision represented a switch from previous rulings on board responsibility for cyber preparedness, according to Westby. “The courts before have been really reluctant to allow these lawsuits going forward, saying ‘you haven’t suffered any damages, [so] we’re not allowing it to go forward,’ ” she said.
Now, the courts might rule that “every time you have a breach, you could now have a class-action lawsuit,” she added. “That can significantly impact litigation costs and [a company’s] brand.”