Cyber security is not just risk arising out of usage of technology, but it’s all about understanding the role profiles and accountability of senior leaders and understanding who is responsible for preparation, predictions, process and rectification when things go wrong.
It is no longer an issue of just protecting assets, updating software and ensuring that you have up-to-date virus protection installed. It is increasingly a business issue, which can rapidly result in significant reputational damage, financial loss and can potentially shut down the organisation completely if you are not prepared for catastrophic eventuality – a successful cyber-attack.
How has the industry been impacted? Indian industry has witnessed really massive attacks in the recent past. The cyber-attack on a Pune-based bank involving data of 3.2 million debit cards cost almost Rs 100 crore. One of the important terminals at JNPT port remained shut for a long time due to Petya Ransomware attack on global IT systems of shipping firm AP Moller-Maersk.
These are just a few instances that resulted in massive direct and indirect damage to the business and reputation of these companies and eventually to their customers. The kind of financial gain that is possible from cyber crime makes it more lucrative than the total estimated global trade in all major illegal drugs combined.
For businesses, cyber-crime represents a significant and potentially costly threat. Cyber crime affects companies through monetary loss, lost production, destruction and theft of personal and financial data and reputational damage. The cost of recovery after an attack is a separate matter altogether.
Getting it wrong can not only be catastrophic for a business, but its leadership too. Many leaders have paid price with their positions because of such severe data breaches. Unlike other risks, cyber security risk is very dynamic as every day new challenges surface. And unfortunately there is no remedy available instantly for many cyber threats.
Being alert to digital change is challenging even for cyber security professionals due to the speed of the changes. There are, however, some important aspects about which it is important that top leadership remains vigilant.
Why do leaders need to be worried? Many leaders believe that they are on top of the cyber security agenda. Most of them, however, need to be much more proactive than just being aware. Their focus should be on ensuring that process, people and technology work harmoniously to mitigate threats posed by cyber-attacks.
Most importantly, these principles should be embedded into every activity of the business. True cyber security goes beyond just securing business systems and data. A few years ago, information security risk was considered a part of IT risk. That led to the rise of the technical role of a Chief Information Security Officer (CISO).
However, with increased threats, a CISO’s job has become more complex. It has now become imperative that an essential skill required of any security leader is the ability to break down silos and work with board members and management to unpack the risk to their function or business unit. Regulation surrounding cyber security has been tightened in recent times.
Leadership success then lies in making sure that the issue of cyber security has the right profile within an organisation. In sectors such as BFSI, consumer data flows between retailers, payment networks and banks. If almost all links are secure, but one link is not, then all players in the chain are at risk from breaches. The potential damages may well have a domino effect.CFO’s role in cyber security
These new dimensions have made the Chief Financial Officer (CFO) an important player for cyber security. The major reason for this shift is that while boards now view cyber security as a significant business risk, there is a danger in this perception being interpreted differently across the organisation.
If IT, operations, risk and finance view cyber security only through their own professional lenses, then the most significant threats may not be identified and thus may end up not getting addressed.
Irrespective of the nature and target of the attack, eventually the damage is measured in financial terms. CFOs in such circumstances, cannot ignore cyber security. It is also a fact that organisations can quantify and manage the risk of a cyber-attack – even though the CFO may not be responsible itself.
The CFO has the necessary skills and the oversight to be able to envisage or predict a much broader and longer-term view of the financial impact of an attack. And these could be immediate issues of data loss and operational disturbance or reputational and regulatory losses and the effect on shareholder value.
As the cost of defending the organisation against cyber-attacks mounts, it is only by quantifying both the cyber risk and the organisation’s risk appetite that resources can be planned and utilised effectively.
A CFO is one of the natural custodians of data in an organisation and is therefore becoming more and more responsible in assessing its value and managing its entire lifecycle.
Finance is not only the focal point through which data is being shared within the organisation and reported on; it is also responsible for some of the most sensitive and valuable data the organisation possesses.
The CFO, therefore, has the responsibility to ensure compliance with data laws be it the domestic law or globally laws such as European Union’s General Data Protection Regulation.
The CFO must therefore participate fully in a robust discussion about cyber security with the board, the wider organisation and outside stakeholders, and to position it as a business and commercial risk to be mitigated by various control measures.
Finance has to oversee audit, inventory, testing and compliance, and will take the lead in the assessment and underwriting of cyber insurance. The CFO and the finance department are highly organised and experienced in explaining the business logic behind the financial restrictions and controls they implement. Therefore, CFOs need to use their existing role in the organisation to promote cybersecurity.Conclusion
Cyber security is not an issue for any one team. Finance, led by the CFO, has a vital role to play in ensuring that there is appropriate risk assessment and budget allocation for cyber protection. They also have a responsibility towards building enough resources for recovery and resilience which can be used effectively when the inevitable attack occurs – to minimise and manage the damage.
As the nature of this risk continues to evolve rapidly and so dynamically, it is essential that the smarter and more economical yet responsible approach for CFOs is to focus on critical protections that integrate and safeguard against cyber risk.
Bharat Panchal drives compliance and risk strategies as the Chief Risk Officer – India, Middle-East & Africa at FIS Global (Fidelity National Information Services), a financial services technology and outsourcing provider firm headquartered in Florida. US.Panchal served as SVP & Head- Risk and Compliance for eight years at NPCI in his previous role