This article is brought to you by The Chartered Global Management Accountant® (CGMA) designation, which is designed specifically for finance professionals, helping them stand out as valuable business partners by developing core competencies through personalized learning.
By Sarah Ovaska-Few
Corporate board members can’t afford to ignore the dangers of cyber-attacks, with an infected file capable of quickly stripping a company of valuable information.
It’s not a matter of just slowing down operations; data theft could jeopardize pending mergers and acquisitions or create a public relations nightmare.
With money and reputation at stake, board members need to make cyber-security a company-wide priority if it isn’t already, said Kim Chatani, CPA, CGMA, a California-based Khronicle Partners Inc. advisory partner with two decades of experience in audit consulting and information technology.
“The board must own it, and they must set the tone,” said Chatani, who also serves on the board of two companies, including a bank.
It’s important to know about the risks to help properly steer the company in the right direction, he said.
“Don’t be afraid and shy away from learning about cyber-risks,” Chatani said. “The board is ultimately responsible at the end of the day.”
What’s at stake
Awareness of lurking hackers and other online dangers has increased tremendously in recent years, said Robyn Bew, director of strategic content development for the National Association of Corporate Directors (NACD), a US not-for-profit focused on boardroom issues.
In 2014, less than 40% of corporate directors reported that cyber-security risks were routinely covered in board meetings, according to the NACD’s Director’s Handbook on Cyber-Risk Oversight. That number jumped to 90% last year, Bew said.
“Cyber-security has really become part of the board’s regular agenda,” she said.
The jump in awareness is in no small part because of news coverage of major events, from customers’ data at companies such as US retailer Target being compromised to major geopolitical events such as the fallout from the WikiLeaks data trove. A teenage hacker exposed security weaknesses in 2015 at the UK’s TalkTalk internet service company, a cyber-attack that cost the company more than 100,000 customers and $73 million, according to The Guardian.
A breach can begin by an employee inadvertently downloading an infected file, or through a more targeted infiltration by capable hackers who can bypass basic security measures.
Cyber-security experts have seen an uptick in extortion-related events, Bew said, with hackers demanding money after stealing data from a company.
No businesses or industries are considered safe from attack.
“Cyber-security is a massive issue for all corporate entities, regardless of size,” said Nigel Davies, FCMA, CGMA, a Wales-based accountant who also serves on the board of a financial services company. “Attackers have little feelings from where they find their ill-gotten gains, they simply target the most vulnerable.”
Nearly half of all cyber-breaches stem from criminal or malicious attacks, with an average cost to victims of $4 million, according to an IBM study on data breaches.
No alarm bells generally sound when online thefts occur; an average of 146 days can pass before officials realize information was compromised, according to the NACD.
There are also considerable risks when third parties, such as law firms or consultants, hold sensitive information, as was the case when more than 11 million documents, known as the “Panama Papers”, were leaked to journalists after hackers stole the data from a Panamanian law firm specializing in off-shore business dealings.
Known events are only the tip of the iceberg when it comes to cyber-security, Bew said. Even more concerning are situations in which companies have been breached but don’t know it until they suddenly lose bids, or overseas competitors release products with striking similarities.
It can be impossible to determine what the losses are in those cases. “There’s all this stuff that’s under the water that we don’t see,” Bew said. “How do you calculate the value of lost intellectual property?”
With the widespread prevalence of cyber-theft in all types of industries, it’s extremely unlikely that a sizable company would have no ongoing issues.
“A red flag for directors would be if management is reporting that the company is not experiencing any cyber incidents,” Bew said. “No company is perfect at this.”
Confidence not widespread
While awareness of cyber-security issues is up, not all board members are confident in their abilities to address them. The NACD survey found that nearly 60% reported that they were challenged when it comes to overseeing cyber-security issues.
Board members of smaller companies have a steep learning curve as well, according to a PwC survey. While 63% of directors at large companies report being very comfortable in their company’s resistance to cyber-attacks, less than a third of directors at smaller companies had that same level of assurance.
Not making cyber-security a priority puts a company at unnecessary risk, said Anurag Chaturvedi, a senior director at the consulting firm Crowe Horwath International in the United Arab Emirates.
It’s important that boards lead the discussions on cyber-security to look at the overall health of the company and determine how much an attack could disrupt operations, he said.
“Boards need to understand risk exposure and their risk appetite while developing their cyber-security priorities and strategies,” said Chaturvedi, who specializes in information technology risk assessment.
He estimates that large companies in the UAE will spend 40% to 55% more this year compared with the previous year on cyber-security, a necessary uptick to meet rising threat levels.
What to do
Finance professionals, including those who head audit committees, can play key roles by pushing management to adopt policies that minimize the dangers of cyber-intrusion where possible, said Davies, the Wales-based accounting expert.
“These skills enable them to research, translate the sometimes complex IT issues, and balance the risks with the costs,” Davies said.
He also recommended seeking cyber-security insurance. The process involves going through a detailed risk assessment and will help board members as well as company executives assess areas of weaknesses and adopt best practices.
Companies should not wait until an attack occurs to formulate a response plan, said Chaturvedi.
He suggested companies go through an inventory where they assess the cyber-security risks of IT systems, data stores, vendors, and suppliers. Then, at the board’s urging, policies can be deployed to detect ongoing and future attacks.
“Attackers are constantly innovating, testing, and refining their tactics,” he said. “This is a battle where inattention and complacency can have devastating consequences for an organization.”
While many board members may not have the technical knowledge to completely immerse themselves in cyber issues, Chatani said those with keen business skills don’t need to. Rather, board members can concentrate on protecting the most valuable data, or “crown jewels” of the company, and authorize company officials to take steps to protect those data.
He also suggested developing sources on cyber-security outside the company that can offer insight into trends that in-house technology experts may not know about. It’s important, however, to not depend on a consultant to do all of the work, he said.
“You can outsource the work,” he said. “But you can’t outsource the responsibility.”
The CGMA Program Puts You and Your Team on the Path to Becoming One of More Than 150,000 CGMA Designation Holders Worldwide
Success in today’s highly competitive and fast-paced business landscape requires insight and innovation from all corners of your organization. Finance teams in particular, have to demonstrate agility, move beyond traditional reporting duties and develop their strategic capabilities to move business operations forward.
The Chartered Global Management Accountant® (CGMA) designation is designed specifically for finance professionals, to help them develop the knowledge, skills and experience they need to become more effective business partners.
The CGMA is a global management accounting designation that distinguishes professionals who have advanced proficiency in finance, operations, strategy and management. Powered by two of the world’s most prestigious accounting bodies — the American Institute of CPAs (AICPA) and The Chartered Institute of Management Accountants (CIMA) — the CGMA designation ensures a consistent global standard for finance and accounting professionals.
Start your journey at CGMA.org/Program.