Security breaches at major organisations have become a regular occurrence, leading many to wonder whether lessons are being learned or applied. Improving cyber security is an opportunity for the chief financial officer to prove his or her worth.
Organisations are using more technology than ever; to quote Gartner’s now infamous 2013 phrase “Every company is a technology company.” Technology is now embedded in almost every interaction between a company and its customers, and internally between staff and partners. Yet as organisations have increased their reliance on technology, the need to protect themselves from cyber threats has never been greater.
There are many reasons why enterprises should significant consideration and effort into improving security: protecting corporate data assets, compliance to privacy regulations, preserving brand reputation and more. Unfortunately, many top level executives, including those across the C-suite, still fail to recognise just how much impact cyber security breaches have on the company’s financial standing.
This article will examine how data breaches can negatively affect an organisation’s finances, how the role of the chief financial officer (CFO) has evolved in the light of cyber security threats, why businesses should invest in cyber resilience – not just cyber security – and how the right approach to security can actually indirectly help the organisation to make more money.
The risks brought about by increasing cyber crime
In this day and age, cyber risk has become a very clear and present danger. The statistics showing just how costly cyber-attacks can be on an enterprise are staggering. According to the Ponemon Institute’s 2016 Cost of Data Breach Study, the average cost per stolen or lost record is US$158, and the average total cost of a data breach is US$4m – an increase of 29% since 2013. It is also reported that 48% of the breaches were caused by malicious or criminal attacks, which take the most time to detect and contain. The same study notes that a breach typically becomes more costly for businesses the longer they take to detect and contain it.
Yet more than detection, escalation, and breach notification costs, companies also pay a steep price for the long term debilitating brand damage that a data breach causes. For instance the attack suffered by US national retailer Target in December 2013, which exposed millions of customer records, affected consumer trust significantly with 13% of its customers choosing to take their business elsewhere.
The Ponemon report further reveals that the costs incurred by organisations for reputation damage after a data loss incident could amount to US$3.97 per customer and include “abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill.” Conversely, while lost data can result in lost customers, companies that can reassure their customers that they take cyber security seriously are more likely to attract and retain their customers.
Security attacks on high profile organisations have become such a regular occurrence over recent years that many are wondering if companies are learning from these incidents at all. Take for example, the Yahoo data breach in September 2014, which affected 500m users.
While that’s big, the story doesn’t end there, as Yahoo disclosed later that same year that a 2013 data breach incident also took place with a whopping one billion user records compromised. The FriendFinder (2016), LinkedIn (2012), and Heartland Payment Systems (2008-09) data breaches don’t quite come close to the Yahoo attacks in scale but are still massive, and exposed 412m, 165m and 130m records respectively.
It’s not just the number of customer records compromised that is overwhelming. The financial damages in the aftermath of the cyber-attacks are big enough to bring businesses – even large enterprises – down. One of the most expensive breaches to date was that of email communications firm Epsilon, which suffered a database attack in 2011: clean-up reportedly cost the company about US$4bn. Similarly, data stolen from the US Veterans Affairs in 2006 cost the department up to US$500m, while a 2007 server attack on US supermarket chain Hannaford Brothers resulted in a loss of US$252m.
The CFO’s critical role in implementing cyber resiliency
Given the widespread financial impact that cybercrime can have on organisations, it’s clear that cyber security now also falls under the purview of the CFO. While the technical details of cyber security will continue to be the responsibility of IT leaders, the CFO plays a crucial role in promoting cyber security as they assess all risks and their financial implications on the business, and contribute to incident management and response planning.
The CFO’s understanding of all these would figure significantly into the company’s key financial decisions; in particular investments in cyber security and cyber resilience. It is therefore critical to the long-term success of all organisations to ensure the CFO is fully briefed on the implications of inadequate cyber security.
As cyber-attacks become more complex and find new ways to circumvent even the most advanced security solutions, implementing security structures that simply aim to control known risks is no longer adequate. Organisations must acknowledge that even the best defences cannot stop every single attack.
Cyber resiliency, which encompasses both cyber security and business resilience to not only to defend against attacks but also to ensure the organisation’s survival following a successful attack, is therefore the only way to recover faster from and limit the impact of an attack. Cyber resiliency factors in the many unknowns of cyber threat; anticipating more sophisticated malware, preparing for an immediate and comprehensive response to attacks; and implementing systems remediation in the aftermath of a breach to ensure the company’s continued operation and success.
By designing budgets that allocate sufficient resources for a cyber-resilient operation, the CFO plays a crucial role in ensuring that the organisation’s cyber security measures are protecting its company and therefore, indirectly, contributing to its financial gains for the long term.