There are signs, however, that many CFOs and their finance teams see cybersecurity as somebody else’s problem. Recent global research among more than 1,500 members of ACCA and CA ANZ found low levels of cyber risk awareness. ‘CFOs often regard cyber risk as a technology issue, not a governance or business issue,’ says Magarey. The research, Cyber and the CFO (link at the end of the article), a joint report with Optus Macquarie University Cyber Security Hub and Singtel Optus, indicated that cyber threats did not register prominently, except perhaps where privacy was more front of mind as a result of recent legislation.
You are not alone
Responsibility for managing and mitigating cyber risk does not rest solely on the CFO’s shoulders. ‘It is the collective responsibility of the C-suite,’ says Clive Webb, senior insights manager at ACCA. But CFOs are becoming more involved in operational crisis planning as operating models evolve. ‘As more businesses are cloud-enabled and more technology resources are third-party hosted, technology looks less like an operational domain in its own right and more like a strategic operational issue,’ says Webb. Failing to respond to this trend can have dire operational and financial consequences.
Trying to recover after an adverse cyber incident such as a data breach or ransomware attack can be complex and time-consuming. Money spent trying to remediate damage – to data, systems, relationships with customers and suppliers, and the reputation of the business – can quickly mount up. Then you need to factor in opportunity cost and loss of revenue due to downtime. ‘Cybersecurity is a business issue, not a technology issue. CFOs need to understand and act on this,’ says Webb, because the damage a cyber attack can cause is determined by how well prepared an organisation is.