You need a cyber-governance framework for your organisation. As CFO, you should be able to participate in a robust discussion about cyber-security with your board, the wider organisation and outside stakeholders. Certain powers need to be delegated to Finance, which will have the skills to oversee audits, inventory, testing and compliance, and which in turn will lead to the assessment of cyber-insurance. In the event of an attack, the CFO and their team will be the first point of call in assessing the damage, leading on internal and external actions, while controlling communication with relevant stakeholders.
But it’s not only financial data under siege. Finance personnel will be targeted directly in an attempt to steal and defraud. Therefore, as a key part of these discussions, CFOs must engage with IT to ensure that their own vulnerabilities are understood and addressed. Though, as IT teams may be part of the solution, they are not the owner of it. It needs to be a cross-organisational activity, not a technical remedy. While one might expect IT to be reasonably abreast of the threat landscape, it is unreasonable to expect them to demonstrate an equal understanding of the risk as it pertains to each sector and each part of your business.
For your company at large, cyber-security will seem like an inherently daunting topic. CFOs don’t need to become technical experts, but they will serve their organisations by being aware of the range of threats, and being able to deliver critical insights to relevant teams. It’s about thinking carefully about how information is tailored to specific departments, so that non-technical staff don’t feel unable to engage. Being able to share top-level insights with trusted stakeholders will also build trust in your own business, and will add to stakeholder confidence and add value across your company. Further to this point, investing in cyber-insurance may well be an avenue for exploration.
And the bottom line is, you need to create resilience. That means combining aspects of traditional disaster recovery planning with business continuity management. Reacting quickly can limit financial and reputational damage. Therefore, resilience is measured by your ability to resume normal business operations as fast as possible. And of course, it must also be delivered cost-effectively. There are only truly four stages to establishing cyber-resilience, which are as follows: ‘manage and protect’, ‘identify and fix’, ‘respond and recover’, and finally ‘govern and assure’. You should implement all of these processes on a consistent and iterative basis, all of which will feed into your cyber-governance framework.
You also ought to be reviewing your company’s compliance with legal and regulatory requirements, not least GDPR in the EU. This is really a meta-process to what is already in place. Thought leadership content should be produced by your team, and you should be looking to engage with experts like, those at the ACCA, to better understand every element of the technical, communications, regulatory, legal and governance landscape. True cyber-resilience is about being prepared for any fallout from an attack.
For further details and a more in-depth exploration of these technologies, be sure to check out the ACCA website which hosts a range of resource on the subject. As a CFO, it’s absolutely critical subject matter. Using this type of information, it’s your role to anticipate these technologies and build them into your overall cyber-governance framework as we move into the 2020s and beyond.