With corporate boards and management teams growing ever-more concerned and vigilant about cyber-security, CFOs can’t afford to sit on the sidelines. But what can they do, in practical terms? After all, even those with a fair degree of technological wherewithal are unlikely to understand deeply the technical issues involved in securing systems and databases.
But there is plenty that CFOs can do to create an environment in which cyber-security is correctly prioritized and aligned with business needs, says Valerie Rainey, CFO of INTTRA, which provides a technology platform that facilitates dealings among ocean shippers, freight forwarders and cargo owners (for example, Wal-Mart and Home Depot).
While many companies focus mainly on securing customers’ credit-card information, that is not a risk for INTTRA, as it doesn’t store such data. “What comes across our network is highly confidential data about global trade, so it’s a very high priority,” says Rainey.
Rainey chairs the Business & Industry Executive Committee of the American Institute of Certified Public Accountants, which advises the institute on global business issues and trends. “We’re talking about this topic a lot,” she says.
In a recent survey of 1,234 senior executives who hold the Chartered Global Management Accountant designation, offered jointly by AICPA and the Chartered Institute of Management Accountants, 55 percent of respondents described themselves as highly focused on “IT development and cyber-security.”
CFO Game Plan
CFOs should at least be conversant with cyber-security issues particular to their company, notes Rainey. “You need to understand where attacks are coming or could come from, how the attacks are coming in, and what kind of data hackers are going after,” she says, “as well what mitigations are in place to prevent attacks.”
That knowledge enables the finance chief to ask the necessary probing questions to determine how deeply IT has examined the company’s cyber risks. While the CFO doesn’t have to be a technical expert, he or she should be wary of generalized responses like, “Our firewall has proved very effective at thwarting attacks.” Instead the finance chief should demand detailed descriptions of the various security levels in a multi-level scheme.
IT leaders may not have the same appreciation for the company’s business risks that finance executives possess, according to Rainey. “You’ll want to focus on risks that have a high likelihood and a big potential impact on the business, whereas IT people will often say that every risk is important,” she says.
It is the CFO’s responsibility to keep cyber-security issues top of mind for the executive team, which is always dealing with other “fires of the day.” Says Rainey: “You have to make sure the company doesn’t lose sight of the fact that this very strategic enterprise risk needs to be addressed on an ongoing basis. It’s not like you can put a plan in place and you’re done. Hackers are becoming more sophisticated all the time.”
Rainey examines cyber risk every other month “to evaluate whether what we have in place is still sufficient, given the current landscape.” CFOs must understand that today no protection against cyber-attacks can be regarded as absolutely foolproof. “If you look at the high-profile companies that have had issues, like Target, you’d imagine they felt they had the right technologies and processes in place to mitigate the risks, but obviously they didn’t,” says Rainey.
That’s why CFOs should insist on having a monitoring system that can identify attacks as they’re happening, so that they’re addressed in real time as well. “You can’t be waiting three or four days to find out while your customers are calling to report fraudulent charges on their credit cards,” Rainey says.
It’s also important to have a plan in place for communicating with customers and other affected parties when a security breach does occur. Rainey advocates for transparency. Tell them what happened, what it means and how you’re mitigating the impact to them — and not just in terms of preventing it from happening again. For example, Target offered a year of free credit monitoring for customers whose personal information was compromised.
“How you respond is critically important to keeping customer relationships or at least starting to get them back to where they were,” says Rainey.