CFOs and Cybersecurity: Top Threats and How to Prevent Them

Mark Jackley | Content Strategist | March 27, 2024

Because cyberattacks represent a major financial risk to most organizations, chief financial officers play an important role in cybersecurity. They work closely with chief information security officers (CISOs) to prioritize potential threats based on their financial risk, maintain defenses accordingly, and ultimately help mitigate those risks.

Why Should CFOs Care About Cybersecurity?

Cyberattacks can cost organizations in a number of ways. Overall, the average cost of a data breach to organizations worldwide was $4.45 million in 2023, according to a study by IBM and the Ponemon Institute. Nearly 95% of attacks are launched for financial gain, not for political, social, or personal reasons, according to the 2023 Verizon Data Breach Investigations Report.

Confidential data, such as customer credit card numbers and employee network passwords, is a favorite target. So is good old-fashioned cash, raked in through phony vendor invoices, payroll scams, and ransomware attacks. Nearly half of senior executives think attacks on accounting and finance will worsen, according to a 2023 study by the Deloitte Center for Controllership. Then there’s the financial cost of damage to an organization’s reputation due to a security breach.

New U.S. Securities and Exchange Commission regulations also have CFOs’ attention. The SEC adopted rules requiring public companies to give investors “decision-useful” information about cybersecurity incidents, along with periodic updates on their cybersecurity programs. The rules also appear to require the SEC to be notified within four days of a company’s determination that a cybersecurity incident is “material,” meaning one that most investors would consider important.

Another regulatory mandate is the Federal Information Security Management Act (FISMA), which requires United States federal agencies to develop, document, and implement agency-wide security measures. Compliance with the law is mainly the CISO’s responsibility, but government CFOs need to be mindful of its requirements.

Key Takeaways

  • As experts in risk management, CFOs should work with CISOs to prioritize cyberthreats and defenses based on corporate financial risk.
  • To assess cyber risk, CFOs must gain a solid knowledge of cyberattack techniques as well as the strategies and technologies used to combat them.
  • Increasingly, CFOs contribute to cybersecurity plans, review security budgets, and monitor the effectiveness of security preparations.

CFOs and Cybersecurity Explained

CFOs aren’t cybersecurity experts, but they are experts in risk management. This makes them natural allies of the CISO, who is responsible for protecting the organization’s systems and data. CFOs should be consulted on cybersecurity plans, making sure they reflect the company’s overall financial risk. Do they sufficiently guard systems that process and store the organization’s most sensitive and valuable data? Do they help employees across the organization spot fraudulent emails, calls, and other scams? As the top risk management watchdog, the CFO must be confident that the organization’s level of cyber risk is acceptable.

CFOs also have regulatory reporting obligations that include cybersecurity. They’re closely involved with compliance of rules laid down by the U.S. Securities and Exchange Commission, the European Union’s General Data Protection Regulation, and the California Consumer Privacy Act, among others. CFOs collaborate with general counsels, internal auditors, CISOs, and others to ensure compliance. They face questions from the board of directors about disclosures of any cyber incidents, along with annual disclosures of cyber-risk management, strategy, and governance.

In pursuing compliance, CFOs must balance a number of key factors. For example, the SEC requires disclosure of any “material incidents,” that investors would deem important. Of course, CFOs use financial measures to decide what is material and as a result what to disclose, but they should also consider more qualitative factors such as the reputational impact of even a small attack on customer information.

Top Five Cybersecurity Risks for CFOs

In this online-first business world, the “threat vector” available to cyberattackers is expanding as companies roll out applications faster and to more users than ever before. Companies are also increasingly integrating applications with systems from suppliers, partners, and other outsiders.

Regardless of the environments they target, attackers are always testing new ways to evade cyberdefenses. CFOs don’t need to grasp every technical nuance, but they must understand attackers’ most effective techniques. Many attacks are new twists on the following five basic types.

1. Business email compromise

Business email compromise (BEC) is a cyberattack that uses email to manipulate people. For example, attackers try to trick the recipient into sending money via a fraudulent request to wire funds or a phony vendor invoice. Such BECs typically target accounting and finance, procurement, and payroll teams. BEC is a type of phishing attack. Other phishing scams try to trick recipients into revealing passwords, providing credit card numbers, or clicking on malware links.

Between 2013 and 2022, BEC attacks cost organizations worldwide $51 billion, according to the US Federal Bureau of Investigation. Abnormal Security, an email security company, reports that in the first half of 2023, BEC attacks increased by 55% over the first half of 2022.

2. Supply chain attack

As the term suggests, supply chain attacks target something a company buys from vendors, typically a software program. By exploiting a vulnerability in a software program, the attacker can gain backdoor access to multiple companies that are using the software. The attacker gains access to private networks, including its intellectual property, customer data, and other information assets. The most infamous example is a 2020 attack that corrupted a popular networking tool, leading to breaches at top US government agencies and multinational corporations. While supply chain attacks are associated with state-sponsored actors attempting to carry out espionage or disrupt critical infrastructure, financially motivated criminals also launch these attacks.

3. Publicly exposed database

A publicly exposed database is one that supports a public website or application and is unprotected by security measures such as requiring user credentials, secure configuration, adequate security settings, or oversight in the deployment of databases—making them easy pickings. The rise in remote work during the COVID-19 pandemic contributed to an increase in unsecured data and resulting attacks. In 2023, Singapore-based security firm Group IB uncovered nearly 400,000 such databases on the open web. When learning of the problem, database owners took an average of 170 days to fix it, risking data breaches and follow-up attacks on employees or customers, Group IB found. In a 2022 study by security provider Kroll, 53% of organizations said attacks on exposed databases resulted in a network compromise.

4. Insider threats

An insider is an employee, former employee, contractor, vendor, or other party whose special access to a company’s systems and networks could pose a security threat. Insiders fall into two categories: those who act intentionally to bring down a company’s systems and steal its data and those who unintentionally cause a security gap because they lack security training or simply fail to follow procedures. The average total cost to an organization of an insider threat incident rose from $15.4 million in 2022 to $16.2 million last year, according to research by IT vendor DTEX Systems and the Ponemon Institute, based on a sample of organizations in different industries and of varying sizes.

5. Ransomware

Ransomware is a malware type used by attackers to encrypt a company’s data, often delivered by compromised software or phony emails, and then demand a financial ransom to remove the encryption. When ransomware is activated, employees can’t access key systems and data, they’re unable to work, and operations grind to a halt until the organization pays the ransom demanded and access is returned to normal. Some companies decide that paying the ransom is less costly than operational downtime, especially if cyber insurance covers some of the losses. However, there’s no guarantee that attackers, once paid, will supply a decryption key to free the data. The average ransomware payment in 2023 was $1.54 million, according to security vendor Sophos. Last October, the Counter Ransomware Initiative, a US-led group of government organizations in 50 countries, pledged that they would never pay ransom to cybercriminals.

Cyberattacks: Key Stats
55%
Percentage increase in business email compromise attacks from January to June 2023
$138 billion
Estimated global cost of supply chain attacks in 2023
74%
Percentage of organizations considered moderately to extremely vulnerable to insider threats in 2023
$1.54 million
Average ransomware payment in 2023

Sources: Abnormal Security, Cybersecurity Insiders, Sophos

The Role of the CFO in Cybersecurity

Beyond working with CISOs to prioritize cyber risks, CFOs increasingly help them craft a security plan, develop a security budget, and monitor security performance and preparations.

Understand cybersecurity risks

To understand cybersecurity risks, CFOs prioritize them based on financial risks. This means, for example, working with CISOs to ensure that key applications—ones managing sensitive data and payments—are adequately defended. Do different roles require different levels of permission to access data and conduct transactions, what’s called the principal of least privilege? For example, a supply chain manager might need permission to enter a procurement system and make or approve transactions. An accounting specialist may not need permission to work in that system, but does need permission to access and do business in accounting and financial systems. Likewise, only authorized employees should set up vendor payments.

High-priority applications are found in accounting and finance (accounts receivables and payables), supply chain operations (procurement), and HR (payroll). In some industries, such as financial services and healthcare, protecting apps that manage customer or patient data is especially important.

“Cybersecurity isn’t one size fits all,” says Aman Desouza, an Oracle senior product director who formerly directed governance, risk, and compliance strategies for global fintech firm Broadridge Financial Solutions. “Some applications are way more important than others. CISOs should work with CFOs, and sometimes other executives, to prioritize enterprise risk and protect the crown jewels. And sometimes, the CFO needs to be willing to challenge the CISO’s thinking.”

When assessing the potential impact of attacks, CFOs should look beyond immediate financial damage. They must also consider the lasting effects on productivity, brand reputation, customer relationships, and legal compliance.

Develop a cybersecurity plan

While companies vary in structure, cybersecurity planning is a cross-functional effort that typically falls primarily on the CISO. But because cyberattacks present severe risks to the bottom line, CISOs should consult with CFOs when devising plans. With the new SEC rules, CFOs at US publicly traded companies also are required to include certain cybersecurity risk management, strategy, and governance information in their annual reports, so they need to work closely with CISOs on that.

All plans should include an assessment of cybersecurity risk. CFOs gauge cyber risk based on the value of various data, plus the potential legal and reputational costs of security incidents. CFOs also consider the risks of outsourcing sensitive data storage to third parties, especially the implications for cybersecurity insurance coverage, and the risks of noncompliance with SEC or other rules.

Another crucial aspect of planning: an evaluation of current security tools and processes. CISOs evaluate tools for their technical capabilities. CFOs want to know that tools and related processes can defend high-value assets, in particular finance and payments apps. Through cost-benefit analysis, CFOs can also evaluate security tech investments, a perspective that helps CISOs when it’s time to present the security budget to CEOs and boards.

The best plans are flexible, allowing companies to adapt to emerging risks such as AI-powered deepfakes, which can present ultrarealistic impersonations of top executives. One attack used a deepfake video on a conference call to lure a finance worker into sending $25.6 million to the attacker’s bank accounts, CNN reported. Adaptive plans also make room for the latest security tools, some of them using, that’s right, generative AI to spot network abnormalities and malicious activity faster.

Establish a budget for cybersecurity

As with the cybersecurity plan, the CISO takes the lead in proposing a cybersecurity budget. In most companies, CFOs consult in the process, reviewing the budget, asking questions, and making recommendations. In reviewing security spending, CFOs examine investments in people with specialized expertise, technologies to detect and combat attacks, and tools to monitor cyber risk and security compliance.

In the 2022 to 2023 budget cycle, cybersecurity budgets rose by modest rates, according to a 2023 study by security consulting firm IANS Research. For example, technology companies on average boosted security budgets by only 5%, versus an increase of more than 30% in the 2021 to 2022 cycle. Compared to other industries, though, tech companies have the largest security budgets as a proportion of total IT spending, at 19.4%. The retail industry, by contrast, allocates an average of 7.2% of IT budgets to security.

When money is tight, CFOs ask hard questions. Does the proposed budget align with corporate objectives? Does it properly fund efforts to defend the organization and reduce risk?

Allocate resources to cybersecurity

Once the cybersecurity budget is set, CISOs review whether it’s allocating resources to where they’re needed most to reduce risk, whether it’s to hire skilled professionals, expand employee security training programs, buy new security software, or move the organization to a more secure cloud business model. Again, CFOs play an advisory role, ensuring that the allocations mirror financial risk priorities. Example: By allocating funds for multifactor authentication tools, will the organization reduce the risk of intrusion and protect data better than if it spent a similar amount of money on people or process improvements?

Monitor cybersecurity performance

The cybersecurity plan includes performance-monitoring metrics, showing if current levels of risk are acceptable or not. The CISO looks at metrics such as the mean time to detect attacks and respond to them. The CFO focuses more on security readiness versus the performance of technology and process. “Mostly, CFOs want evidence of mature security programs,” Desouza says. “They look for indicators such as automated monitoring tools or security awareness training that teaches employees to spot BEC and phishing attacks. To the CFO, it’s more about preparation than anything else.”

The Cost of Ignoring Cybersecurity

When companies ignore (or don’t pay enough attention to) cybersecurity, the price can be steep, resulting in loss of data, funds, and/or intellectual property. Costs can also include degraded customer trust, canceled business orders, stock price drops, negative headlines, and legal penalties. Dark Reading reported that one widely publicized 2017 security breach led to the company’s stock price declining 31% within a week and that it took two years before it fully recovered. More common, however, are immediate stock price declines in the low single digits.

The damage from global cybercrime is expected to reach $10.5 trillion by 2025, according to 2022 research by Cybersecurity Ventures. Security vendor Deep Instinct reported that 75% of security professionals witnessed a rise in attacks from 2022 to 2023.

Under the new SEC cyber-disclosure rules, companies must “disclose annually information regarding cybersecurity risk management, strategy, and governance,” Erik Gerding, director of the SEC’s division of corporation finance, said in a statement. This is in addition to the need to disclose any material cybersecurity incident. Given these requirements, CFOs at public companies must feel confident that they understand a company’s ongoing cybersecurity strategy and practices. They must have the knowledge and relationships to quickly know about relevant cybersecurity incidents and assess the materiality of those attacks. CFOs who neglect those requirements open their organizations up to regulatory penalties.

Prevent Cybersecurity Risks from the Start with Oracle

The Oracle Fusion Cloud Enterprise Resource Planning (ERP) suite of financial, procurement, project management, and other applications offers security by design. Centralized access controls can help simplify network authorization, and together with the security features offered as part of the Oracle Cloud ERP, can assist organizations with managing its compliance and regulatory obligations.

Oracle Risk Management and Compliance, part of the Oracle Cloud ERP suite, is a security and audit solution that includes AI tools to control access to the suite’s financial data, detect suspicious transactions, and help provide organizations with valuable insight to assist in complying with security regulations.

CFO Cybersecurity FAQs

What does the CFO do in cybersecurity?
As the organization’s risk management steward, the CFO makes sure that its cybersecurity efforts reflect financial risk management strategies. The CFO helps the CISO understand risk priorities across the enterprise and create security plans and budgets accordingly.

What cybersecurity certifications should a CFO have?
One certification CFOs should consider is the Maximizing Digital Operational Excellence Certificate, offered by the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants. It affirms that financial managers are up to date on methods to strengthen financial governance, security, and control.

What are the key cybersecurity responsibilities a CFO must fulfill?
Besides ensuring that cybersecurity aligns with financial risk, CFOs should assist CISOs in refining security plans and budgets, as well as prioritizing protection of applications that manage critical data and payments. The CFO at public companies also may have regulatory disclosure requirements, depending on where the company is located.

The CFO’s Guide to Fueling Profit and Growth

Unlock 5 strategies to cut costs and increase productivity without stifling growth.