From M&A to Regulation, Cyber Risk Is Changing the CFO’s Role
Over the past decade, the dramatic rise in frequency and severity of cyber breaches has altered the CFO’s role considerably. Since managing cybersecurity is no longer just an IT issue and encompasses the whole organization, CFOs are now firmly embedded as key stakeholders in their organizations’ cyber risk management. They are now called on to provide enhanced due diligence around cybersecurity in all aspects of the job — whether it’s mergers and acquisitions, accounting, tax, governance, or other issues.
Cyber-attacks, after all, have become too costly to ignore. The average loss for a breach affecting 10 million records is between $2.1 million and $5.2 million, according to Verizon’s 2015 Data Breach Investigations Report.
Acquisitions and Cyber Risk
The uncertainty around cyber risks in M&A transactions has changed the pace of integration for CFOs. Today, CFOs need not only to help mitigate the financial burden that a cyber event can bring to their organizations, but also to the newly acquired firm. If the new company has poor network security infrastructure, you may have to finance improvement of the acquisition’s IT infrastructure — from new network security protections to educating staff — in order to meet your firm’s standards for mitigating cyber risk, at a potentially high cost to your bottom line.
In acquiring a company, CFOs will need to inquire about the target’s cybersecurity protocols, asking such questions as:
- How robust and sophisticated are their cybersecurity processes?
- Have they been hacked? If so, are there lingering issues?
- What is the culture around cybersecurity?
- Do they have cyber insurance? If so, what does the policy include?
More Regulatory Oversight
Another area where CFOs have enhanced their cyber protocols has been in considering the potential for regulatory inquiries. Regulators look for oversight at the board level — informed in part by the CFO — along with engagement throughout the enterprise.
CFOs can help their organizations prepare for regulatory inquiries by keeping the following in mind:
- Cyber risk management should be comprehensive, looking beyond prevention to assessment, management, and response. Regulators look at all aspects of a cyber event and how well a company responds.
- Cybersecurity is not only an internal issue. Vendors must be managed, as many cyber-attacks target resources that may be outside your company’s direct control.
- Cyber insurance should be part of the approach. Cyber insurance can allow some of the regulatory risk to be transferred off the balance sheet. And regulators are starting to see cyber insurance as an indicator of how well prepared an organization is.
With the changing dynamics of cyber threats, CFOs have had to adapt and prepare their organizations for impacts that can be felt across the entire organization.