For many finance executives, information technology has often felt like another world. To some, the best IT-related role for CFOs over the last decade has entailed managing the nexus between IT costs and benefits, as new — and sometimes costly — systems came to market. Do the advantages of a new ERP system justify the cost? If not, what are the risks of not acting to update existing systems or of taking an alternative approach, relative to compliance, competition and other issues?
But the cybersecurity challenges we face now are changing the CFO-IT dynamic, and probably for the better. For example, such challenges make it imperative that finance and IT talk to one another, and not just about financing a mega-IT project, but also considering a much broader goal: protecting the organization’s business model, operations, employees and other stakeholders, as well as its brand and reputation.
One path CFOs can take is to frame the conversation with the CIO around how IT creates value in key business processes. A process-oriented assessment framework can allow CFOs to cut straight to their core mission with regard to technology: how to assess the value and vulnerabilities that IT brings to a specific business process.
Although cybersecurity is still evolving, I believe CFOs will play larger roles and have greater responsibility over this relatively new business mandate. Cybersecurity is becoming less an IT-only issue and more a strategic risk management concern. That means CFOs need to become closely connected to how the enterprise can and will respond to such an attack to prevent it from becoming worse, which includes pre-attack planning so that the response in the event of an attack is consistent, meaningful and well-organized.
When viewed as a fundamental risk challenge to an organization, cyber risk has much in common with such issues as catastrophic weather events and terrorist attacks. They all share the potential of causing significant financial harm and therefore require the CFO’s attention and active involvement.
The current state of cyber attacks could become even more challenging in the decade ahead, including longer-term impacts not previously experienced. In a new report, “The Value Killers Revisited: A risk management study,” my colleagues look at the main drivers of severe stock-price declines at the 1,000 largest global, publicly traded companies between 2003 and 2012. They define a value-killer as a share-price decline of more than 20 percent in a one-month period relative to the MSCI Global 1000 index in the same period.
The top value-killer events of the last decade are probably not surprising. They include high-impact, low-frequency events like the credit crisis and the euro crisis, liquidity events and unsuccessful mergers and acquisitions.
The report also notes that “cyber attacks will emerge as potential value killers in the coming years as our dependence on a networked communications infrastructure grows.”
As boards of directors, and particularly their audit and risk committees, update and expand their oversight of cyber-risk preparedness and planning, CFOs will have new opportunities to lead in certain areas of cybersecurity. The finance chief can be an important ally to the audit committee, for example, as it assesses resources and funding as cybersecurity initiatives develop.
A main function of such exercises involves identifying core assets that need the highest order of protection for business continuity, and here again, the CFO should be on the team that identifies such assets across the enterprise. Remediation planning is a critical component to include in a business continuity plan, and here too CFOs should contribute to discussions with other senior executives and the board.
There are other ways CFOs will need to be more involved in managing cyber-risk issues, particularly in the planning stages. My colleague Mary Galligan, former special agent in charge of cyber and special operations in the FBI’s New York office, often talks about the importance of developing and testing a cyber-incident response plan so that organizations have a carefully thought-out course of action to follow in the event an attack occurs. Such a plan should include in its initial phases a coordination component involving the general counsel, communications officers and IT leadership, so that communications are delivered in one voice and issues are mitigated as quickly as possible.
As a representative to many outside interests, including regulators, investors and others, the CFO should be involved with creating, updating and implementing the cyber-incident response plan. Another step CFOs can take is to participate in war-gaming exercises, which have helped many companies identify and address gaps in their planning and execution of cyber-incident response initiatives.
As heads of finance and wearing all four faces of our CFO role — steward, operator, catalyst and strategist — we do and should continue to play a vital role in defending our organizations and stakeholders. That doesn’t mean CFOs have to lead cybersecurity programs, but they should do all they can to help put in place plans that have been tested and are updated on an ongoing basis.
It’s also important that CFOs not get caught up in the day-to-day of data security. Rather, they should step back and think about the broader issues and implications. For example, they should be asking whether they have the appropriate insurance for their business today, given cybersecurity risks. They should consider what new insurance products are available and ask how they could improve their data-security insurance program.
In addition, CFOs should make clear to others in their organizations that data security is crucial and that there may be consequences for violating data security policies.
Do CFOs need yet one more task added to their already-expanding responsibilities? The simple answer is no. Yet, our business world is too interconnected for any of us to ignore the growing threat of cyberattacks and our duty to protect against them.
Frank Friedman is the CFO and U.S. managing partner of finance and administration for Deloitte LLP. Friedman oversees more than 4,000 finance and administration professionals in the United States and India, and also manages Deloitte’s real estate, procurement and administrative-support functions. He can be reached at frankfriedman@DELOITTE.com.