The Kroll 2022 Cyber Risk and CFOs report, Over-Confidence is Costly, revealed that 84% of CFOs in Asia Pacific acknowledge that their organisation had more than three security incidents in the last 18 months, and only 8% of CFOs are briefed monthly by the information security team.
The same Kroll report noted that in some cases cyber insurance is presented as a solution to cyber incident risk. The report warned that cyber insurance should not be viewed as a catch-all.
“Many policies don’t cover all impacts from a cyber incident, and cyber insurance premiums and deductibles have increased exponentially. A well-rounded security strategy would include one or more carefully crafted cyber insurance policies as well as robust investments into technical controls and awareness training.”Kroll 2022 Cyber Risk and CFOs report
Phillip Ivancic, APAC head of solutions strategy for the Synopsys Integrity Group, acknowledges a steadily growing awareness amongst all top leaders, including CFOs. Although many CFOs and top business leaders, unfortunately, still perceive cyber security to be a responsibility of their IT department and Office of CISO.
To what extent do CFOs in Asia understand the gravity of the cyber threat in 2022?
Phillip Ivancic: I think this perception generally stems from the fact that for long-time cyber security control, and cyber terminology, were often presented in very technical ways. Therefore, it is seen as an “IT problem”. Furthermore, the risks and the costs of a cyber incident were difficult to quantify and present in financial models.
"What is changing for CFOs, is they are starting to think of cyber resilience in terms of underpinning and, most importantly, protecting often substantial digital transformation investments. That makes it a more focused business conversation."Phillip Ivancic
For most organisations, digital transformation has been one of the main drivers of recent OPEX/CAPEX investment. Almost every organisation faces competitive pressure to improve digital channels. This means large investments in upgrading applications and software.
As CFOs are involved in budgeting and reporting these vital investments, they are realising you can’t achieve the benefits of digital transformation without also protecting.
In a car, to go fast, you need bigger brakes! That’s what cyber controls are to digital transformation investments.
Like it or not, every business is now a software business. Some of the most valuable assets are digital and data. CFOs and top business leaders have realised that becoming involved in application and software security is vital to protecting their most recent investments.
Are they, in general, leaving it to the CIO/CISO to take care of the problem?
Phillip Ivancic: That is slowly shifting as they realise that every business is a software business. In the past, the terminology of cyber controls was very technical. To be frank, this intimidated business leaders, and they thought it would be best left to technical experts like their CIOs and CISOs.
However, business leaders have realised that every important business function relies on data and software. Therefore, they are realising that protecting that data and their software is a business problem and, therefore, every executive’s problem not just IT.
This shift means that CFOs and business leaders are becoming more familiar with the language of technical controls and, most importantly, they are validating that cyber controls are being budgeted for as a part of digital transformation investments.
It is a slow shift; it will take some time and different CFOs and business leaders are at different levels.
Do CFOs support putting more resources into cyber threat mitigation?
Phillip Ivancic: CFOs support protecting their digital transformation investments. Every business is now a software business. Ensuring that provisions for application and software security are being built into every digital transformation budget is becoming a priority for all top executives.
To what extent should CFOs drive the cyber threat discussions in the organisation?
Phillip Ivancic: There are several ways finance leaders can drive the conversation.
Firstly, ensure application security controls are budgeted for as a part of all digital transformation projects. You expect a car to have brakes, you should also expect a new application, software upgrade or digital transformation project to have automated security scanning and expert-led penetration tests. CFOs can question if those basic controls aren’t mentioned in any budgetary estimates.
Secondly, be an active participant in Cyber Incident Response Planning. Ensure that your Cyber Incidence Response Plan is linked with the overall Business Continuity Plan.
Thirdly, lean into the idea that every business is a software business. It is no longer just an IT problem, it is vital that every business executive, including CFOs, learn more about applications, data and the minimum level of security controls required to take advantage of digital transformation investments.
Any suggested reading material/resource that is CFO-friendly?
Phillip Ivancic: I think governance bodies like the Singapore and Australian Institutes of Company Directors publish great materials without technical jargon and are doing a good job linking cyber with other well-known governance and business risk management frameworks.