Why the CFO should care about cybersecurity

As the senior executive and virtually the top-level financial controller responsible for managing the business’s economic actions and financial risks, the CFO should care about any risk that may impact the organization’s financial position, including cyber risk. They should play a crucial role in supporting an adequate cyber budget that enables building cyber resilience across the organization. If done right, the management of cyber risk can also aid in the growth of an organization as well. There is a compelling need for CFOs to have a more active role in critical business decisions beyond financial performance disclosure and to play an active role in cyber risk management is growing.

The role of the CFO in cybersecurity

There is a difference between a CFO who loves transactions, modeling, and details, and one who focuses on driving strategy and the story behind the numbers. The modern-day CFO does not just add up the numbers. They are meant to support the CEO, even when most CEOs are often more eager to take risks or find new business opportunities. The CEO is usually the one driving change, and they will want the CFO to be in their camp. The CFO is the person overseeing mergers and acquisitions and has the inspiration and motivation to take a business to the next step. They serve on the board of directors and participate in decision-making as a member of the senior executive team. As well, most organizations rank CFOs second to the CEO in any public involvement. Your CFO is your communicator.

For organizations that do not have a Chief Risk Officer (CRO), the CFO is often the one to take on that role as well. The CFO can play the role of the CRO in tackling ERM and making decisions about risk treatment, transfer, and mitigations. Therefore, in a digitally connected world with increasing levels of inherent cyber risk, the CFO is integral to building business cyber resilience.

Integrating cyber risk into ERM is gaining traction among firms; businesses are using it to detect and manage cyber risk. ERM takes a holistic approach to risk management rather than a siloed one. It necessitates the integration of various processes to quantify an organization’s exposure to uncertainties that may interfere with the business’s goals and development capabilities.

These days, cybersecurity is typically in the top five risks for a corporation. A key aspect of the CFO role is to help manage that risk. Viewing cyber risk through the lens of ERM equips the CFO to position the company to manage the strategy and plan for cybersecurity. This is a practical way to align cyber risk with how the company perceives risk in general and provides a familiar environment for the CFO to get educated about the dialog on cybersecurity in a business context.

Cyberattacks present a serious economic concern for companies and business stakeholders. While awareness is increasing around the topic, there is a risk this perspective may be misinterpreted throughout an organization if a Chief Information Security Officer (CISO) and a CFO do not communicate and discuss cyber risk effectively with every member of the organization. The lack of communication about the organization’s cyber resilience means the business may not be prepared to face cyberattacks effectively and resulting financial losses might be substantial. Those economic losses ultimately need to be quantified to support an informed decision-making process between mitigation and transfer.

Despite not being cybersecurity experts, CFOs are not in a position today to ignore the topic or continue writing it off as an IT problem. The CFO has the expertise and supervision to look at the impact of an attack on the business’s financial position in a much broader and long-term manner, going beyond the immediate concerns of data loss and operational disruption to reputational and regulatory losses, as well as the impact on share prices. At the same time, if done well, having a strong cyber posture can also aid the organization in its rapid growth as well. A company that is cyber resilient will only serve to strengthen the business and give employees the peace of mind to flourish and perform to scale.

In the next section, we explore further how a CFO’s cybersecurity understanding can support cyber resilience.