Why the CFO Is Just as Responsible for Cybersecurity as the CISO
A recent survey conducted by LTM Research targeting 2000 enterprise CISOs found that 59% of the respondents indicated that it is difficult to receive funding for security initiatives. And 70% of them are concerned about undetected breaches. So the CISO is charged with the task of protecting a company’s crown jewel assets from internal and external threats, but doesn’t have the resources needed to fully implement the solutions and team needed. That flips the ball back into the CFO’s court.
It’s no longer just an IT budget issue because millions are on the line when data is breached. Just ask Yahoo how much it costs. The price of its acquisition by Verizon dropped by $350 million due to significant data breaches. And that doesn’t include the class action lawsuits that are starting to pop up.
Even shareholders are suing Yahoo. Just look at the statement from the law firm of Kessler Topaz Meltzer & Check, LLP about a shareholder class action complaint. It alleges that “Yahoo and certain of its executive officers made a series of materially false and misleading statements and/or failed to disclose material adverse facts about the Company’s business, operations and prospects to investors during the Class Period. Specifically, the defendants are alleged to have made false and misleading statements and/or failed to disclose that: (i) Yahoo failed to encrypt its users’ personal information and/or failed to encrypt its users’ personal data with an up-to-date and secure encryption scheme; (ii) consequently, sensitive personal account information from more than 1 billion users was vulnerable to theft; (iii) a data breach resulting in the theft of personal user data would foreseeably cause a significant drop in user engagement with Yahoo’s websites and services; and (iv) as a result, Yahoo’s public statements were materially false and misleading at all relevant times.”
Along with these lawsuits and damage to the brand, CFOs also have to worry about the FTC. Since 2002, the FTC has brought almost 60 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. Wyndham Hotels & Resorts settled its case while Lifelock agreed to pay $100 million.
Morgan Stanley was fortunate. During an investigation, the FTC found that although the company improperly configured access controls, they did respond quickly after a hack was discovered and had adequate internal security policies in place. Morgan Stanley’s case involved an employee who stole the account information of 350,000 wealth management clients and tried to sell it online. The employee gained access because access controls on a few reports were not properly configured.
In addition, rules and regulations continue to be put in place that can have a significant impact on a company that fails to protect its data. The HITECH Act sets federal penalties on health care companies that leak data on 500 patients or more as high as $1.5 million per incident. The Financial Industry Regulatory Authority (FINRA) has fined financial organizations for failing to implement sufficient security policies to protect confidential customer information. And then there’s the General Data Protection Regulation (GDPR) which will set penalties for breaches of consumer data at €20 million or 4% of annual turnover, whichever is higher.
It is imperative for the CFO to know where their crown jewels assets are, what security steps have been put in place, and how someone may gain access to it. And the CFO has to disclose this information to the board while providing a comprehensive look at the potential financial impact a data breach can have on the enterprise. But we have barely scratched the surface as to why a CFO must also take a leading role in cybersecurity!