Privacy / Security

Quantifying cyber risks: what does a CFO say?

Mac’s Security

Organizations spend millions of dollars on network security but still become a victim of breaching. Now several organizations get breached via an application code vulnerability and face cyber risks.

The latest innovative attack methods and technologies to deal with these vulnerabilities show up all the time. Therefore, to maximize the efforts at assessing security risks, resources should be allocated such that the most effective tools and strategies are used to protect the vital information assets.

To understand the risks and possible costs of a data breach is crucial. How would a company react if their confidential information was spread to the wrong target audience? How much would it cost the business? However, many people think that this thing won’t happen to them or assume that someone mistakenly receives sensitive data will be honest and delete it later.

Things aren’t the same as many people assume. The increasing incidents of cybersecurity is an alarming situation and contradict the fact that cybercriminals might not use their data. In this entire situation, the CFOs’ role is crucial.

In this post, we’ll discuss the role of CFOs along with their perspectives in reducing cyber risks. Let’s read on and find more about it.

Growing incidents of cybersecurity breaches:

In 2016, Protiviti conducted Finance Priorities Survey of 650 US CFOs and founded cybersecurity as a significant emerging issue, along with earnings and margins performance. Similarly, when CFOs analyzed top concerns among CFOs in 2016, it also found the risk of data breaches and information security as a significant cause of worry.

Research from various professional service company Accenture and Ponemon Institute, which conducts independent research on data protection as well as emerging information technologies, unfolds many hidden truths.

The institute research reveals that Australian organizations experienced an 18% increase in the number of security breaches cases during the year 2018.

The Australian businesses bumped up annual security spending by 26% to US$6.9 billion. However, an average ransomware attack where the hacker has a company’s data until a ransom is being paid typically costs us$89,000 to recover from.

Moreover, the cost of data breaches leads to $US2.1 trillion globally in the present year.  According to Juniper Research, it is four times the estimated cost of breaches in 2015

It is essential for CFOs and finance leaders to play a significant role in cybersecurity as the cyber risks are increasing by each passing day.

Role of CFOs

Cyber breaches cost money. However, a recent report reveals that CFOs are way down the executive pecking orders when it comes to setting the directions for cyber strategy.

The Cyber and the CFO report, from the Association of Chartered Certified Accountants and Chartered Accountants Australia and New Zealand, tells that only 8% of the CFOs are involved in cybersecurity strategy, despite cybersecurity being a significant business risk.

The CEO tops the list at 285 for setting the strategies for cybersecurity, then chief information security officer 18%, IT manager 13%, and chief information officer 11%.

The report is based on a survey study of more than 1500 members globally in the previous year. It also found that 10% of the respondents don’t know who was responsible for cybersecurity in their organizations. What was more shocking that most were even not sure if their business ever suffered from a data breach or not.

CFOs need to understand that their organization is under significant threat at all times so, they must stay informed. It doesn’t mean that CFOs should become tech experts. However, they should need to show their leadership skills towards cybersecurity.

Steps for safety and protection and reducing cyber risks

A CFO works for a security company and is responsible for their company’s security budget. CFO plays a crucial role in developing measures to prevent data breaches. These measures or practices ensure the security of financial information and assess the risk of the economic impact of a violation on all data. Apart from the steps, everyone should be educated about internet safety. The internet safety guide is essential in today’s era. Everyone should know about the significant internet concerns along with strategies to overcome it.

The following three steps seem to be useful, to begin with protecting sensitive data and guide security terms while finalizing the correct security investments.

The steps are discussed as follows:

1. Define the organization’s risk tolerance:

Start determining the company’s risk tolerance. It is an exercise that involves leaders up to the broad level. It varies significantly according to your need that either you are a risk-averse or a risk-taker.

By developing an understanding and knowledge of tolerance levels to protect the company’s assets practically takes us beyond the culture of fear, also, into the one which encourages and empowers participants to make strategic decisions.

2. Take a record of sensitive data and evaluate solutions based on security requirements:

A constant complicated issue that the finance team and its members face is giving current data-sharing practices in protecting sensitive data such as financial statements and customer information.

It is essential to take a record of sensitive data within the organization and understand various kinds of data risks organization come across. By doing so, you can plan and prioritize protections accordingly.

Depending on what you want to protect, pick up solutions that are in alignment with those specific security requirements. You must have basic protections like endpoint security, firewalls, and network and perimeter security. Make sure to employ a data-centric approach, where the data itself is protected by encryption and real-time access controls.

3. Organizational risk assessment:

Quantifying cyber risks consist of two factors, the probability of an event happening and the potential cost if it does.

To evaluate probability, it is vital to have a partnership with the IT organization to know where the data resides, what is the current security posture is, and how data is being accessed. To understand where and how you are vulnerable is essential, especially when the answer is beyond your risk tolerance level.

Take notes of your organization’s security policies and how consistently those policies are being implemented and managed. Let’s suppose if you’re a SOC2 compliant, your risk will be reduced by the identified controls within the circumscribed bounds of your system.

Additionally, take into account those practices and policies for data that leaves your repositories, like information that is shared with banks, customers, investors, outside vendors, and other constituents. It is vital to recognize what data goes outside the organization and assess what protection methods are used.

For assessing cost, consider and understand the nature of the information being held and also the potential financial impacts on your organization for contractual penalties, litigation, privacy regulation penalties, and reputational damage.


Cybercrime is becoming a serious financial issue. CFOs and their team members are responsible for the integrity of an organization’s data. Now, it’s time for CFOs to play a leading role in their organization’s cybersecurity. Have a plan in place which is led by a potential CFO in advance to reduce the cyber risk along with its legal impacts.

Leave a Comment

Your email address will not be published.

You may also like

Pin It on Pinterest