Cyber month: CFOs should take the lead

Published on Oct 17th, 2023


Author: ICAEW Insights
Published: 17 Oct 2023

Cyber security is a major priority for most large organisations, but the best prepared have CFOs who take an active role in managing cyber risk.

Cyber security has been a hot topic for big business for at least the past five years. Major hacks at organisations such as Sony, Apple, Meta and Samsung, among others, have put the risks to major corporations in the headlines. It is very unusual to find a major corporation that has not invested heavily in cyber security measures. Employees are put through regular cyber security training, two-factor authentication and firewalls are commonplace and cyber risk as an issue sits with the board of directors in most cases.

But technology can only go so far. Phishing, malware and ransomware rank as the biggest cyber risks to business, according to research conducted by Deloitte. Although ‘human error’ appears a little further down the list, it is a factor in most phishing, malware and ransomware incidents.

“You can’t get all of your controls in place and make them work 100% of the time,” says Julia Seppä, a Strategic Client Programme Manager in Risk Advisory for Deloitte Finland. “If it’s a highly sophisticated actor that wants to get in, they will get in – no doubt. It’s all about how you manage the cyber incident, how quickly you detect that someone is in your network, and how quickly you can isolate the affected systems and devices.”

Phishing, malware and ransomware go hand in hand, Seppä explains. The challenge in that case is that certain systems might not be working anymore. Certain elements of the operation might need to be shut down, and it’s imperative that things can be brought back to normal quickly.

While complacency isn’t necessarily an issue in larger organisations, workload is, she says. When people are under a heavy workload, the importance of cyber might be put to one side and they may not be as vigilant. With the current prevalence and sophistication of attempted cyber attacks, it only takes one of many to get through for massive disruption to be caused.

ICAEW members are experts in finance, but as the world and business becomes more complicated, it’s important for accountants to have a wider understanding of what’s going on. They are generally clued up about the risks of cyber attacks, but even the best of us can fall foul of a phishing attack, says Seppä.

While it might not seem like a direct remit, the CFO and the finance function must play a significant role in managing cyber risk, she says. “If cyber risk is at the board and strategic level, then the CFO needs to understand how cyber risk is being managed. That means, in this case, how to prevent cyber attacks from happening. You have a limited budget, you have limited resources, and if a highly sophisticated actor wants to get access to your research and development, or just wants you to stop operating, they will get in. You need to know how you detect, respond, isolate and restore the system to minimise the risk.

“While it depends on the role and the responsibility, a lot of it comes down to the basics. Remember to pause and reflect if you’re sent a change of a supplier’s bank details or an unusual request for payment, especially if you’re responsible for approving payments.”

The CFO has a major role when it comes to managing cyber risk. That means helping to update or define the cyber strategy, or approving the cyber budget. The CFO is responsible for regulatory compliance and there are certain regulations connected with cyber security, depending on the industry sector. “If you want to be on top of your game, you need to understand different cyber security regulations, particularly around banking or insurance.”

CFOs involved in mergers and acquisitions should also consider cyber security as part of due diligence. A high risk of hacking or being targeted by cyber attackers can affect the valuation of a company. CFOs are also looking after the control environment, working with audit and risk committees in the organisation. “This means operational controls and financial controls, but also cyber security controls,” says Seppä. “So you want to make sure that those are in place as well.”

A close relationship with the Chief Information Security Officer is critical in big organisations, she adds. “The tone from the top really matters. The best CFOs I have worked with get actively involved with major cyber incident exercises. As someone who manages risk, the CFO should take the lead and be an example to the rest of the organisation, so that people across the board are prepared to respond and recover should an incident take place. That’s a critical role for the C-suite to play.”
For more on Cyber Security visit ICAEW Insights.