How CFOs can get on top of cyber risks

Cyber attacks are becoming ever more prevalent, sophisticated and damaging. But making investment decisions in a cash-constrained environment is tough. 

Balancing investment across risk reduction and value creation is key. With the cyber threat landscape evolving, the central challenge for you as a Chief Financial Officer (CFO) is how to respond and ensure external stakeholders (shareholders, auditors, insurers) are satisfied.

The resulting questions for you as a CFO include: 

1How do we prioritise cyber security investment considering the cost pressures we’re facing? 

As with any type of investment, cyber spend must be underpinned by a business case justifying the benefits of the expense. It can sometimes be difficult to build buy-in if there has not been a recent threat or attack. This underlines the importance of having a clear and agreed cyber risk appetite and articulation of the potential risks and the impact of an attack in business terms, which could be any combination of financial, operational, compliance-related or reputational damage. 

For example, what constitutes an ‘unacceptable”’ level of financial loss, relative to your annual revenue or EBIT? This will enable you to prioritise the investments required to reduce your cyber risks to acceptable levels. Understanding the typical levels of security investment required across similar organisations in your industry (for example, security spend as a percentage of revenue, or security spend as a percentage of total IT spend) can also provide a helpful reference point. 

2Have we clearly defined the role and remit of the CISO and is this right for the organisation?  

Hiring a good CISO with the right mandate and trusting them to get on and deliver is key to building cyber resilience. However, positioning the role of the CISO and cyber security function appropriately is not always straight forward and there is no single right answer. 

Should it report to the CFO, CIO, or other? Is the role accountable to the Board and audit and risk committee? Is the role to set policies and standards (for other functions to meet) and then provide governance and assurance, or is the role to actually deliver cyber security? Is it a head of IT security, or a fully-fledged role across all aspects of cyber and information security, including human risk factors (awareness and training) and data governance? 

All these models can work, and the right fit for your organisation depends on the nature of your business, your approach to enterprise risk management, your risk appetite, and the other structures you have in place. In any case, the roles and responsibilities for managing and delivering cyber security capabilities must be clearly defined and understood by all those involved.

3How do we ensure our governance and reporting keep pace with the increasing demands for cyber transparency, including external disclosures and information for insurers?

Working closely with auditors, regulators and investor relations, it’s important to have a clear story to tell about your cyber protection priorities, how you intend to achieve them and your organisation’s performance against its cyber goals. Being able to clearly articulate the risks and corresponding control effectiveness in tangible business terms will help build trust and confidence across your external stakeholders, as well ensuring that you are set up to keep pace with evolving regulations. Clearly aligning your risks and controls to an industry standard cyber security framework (such as NIST) can also help to build confidence that you’re covering the bases. You should back this up with independent assurance from both internal and external auditors.

4Do we have a clear position on whether we would pay a ransom in a ransomware scenario?

If the unthinkable happens and your critical data is held to ransom, you need to have a clear response plan that is well drilled, including clear steps for engaging external support and notifying the relevant regulatory bodies and law enforcement agencies. You should have a clear position on how you would handle such a situation, so that you do not waste time debating a course of action within your executive team. After an attack, the previous response plan should be revisited to reflect lessons on how to reduce the risk of, and enhance the response to, similar future occurrences.

How Berkeley can help

At Berkeley, we have experience of helping CFOs answer these questions through all stages of their cyber journey. We can help you to:

• Define your cyber strategy to set clear goals and ensure alignment with business strategy 
• Deliver your cyber transformation programme 
• Deliver cyber resilience capability uplifts in areas such as executive training, incident response preparation and business continuity planning
• Deliver specific projects in your cyber portfolio that you may be struggling with
• Rebuild and strengthen your cyber capabilities post cyber-attack
• Provide cyber assurance to meet a range of internal and external demands including Section 166 regulatory reviews 
• Engage your executive team, Board and operational stakeholders on how to manage cyber risks effectively and increase your cyber resilience.