Risk management is the process of identification, analysis, and mitigation of uncertainty in business decisions. It has become increasingly critical for companies to bring a team of diverse people together to discuss the possible threats to the business. It´s also important to ensure the team is doing everything they can to mitigate uncertainty in operations for the company´s stakeholders. In this article, we will discuss security risk management, financial outcomes of cyber-attacks, and the collaboration needed between Finance and IT to develop a more cyber resilient organization.
Proper risk management planning is especially important during times of uncertainty, such as during the COVID-19 pandemic. Operations have to adapt rapidly during these times. Having a team already in place to coordinate and communicate changes to the organization and facilitate a transition with a business continuity plan can make a big impact on how the organization emerges after a business disruption, such as a cyber-attack.
Years ago, risk management fell solely under the responsibility of the Finance department. Financial risk management efforts have been a core part of the finance team´s efforts ensuring that the company is in the best position in the case of economic uncertainty. Other areas of risk, from compliance to the IT department traditionally fell under the Chief Financial Officer´s role as well.
Role of a CFO in risk management
The CFO is charged with ensuring the appropriate risk procedures are in place in case a risk event occurs. The CFO is often also responsible for assessing appropriate insurance coverages to minimize the strategic, financial, and operational impact of the business in the case of a risk event, which may include cyber insurance.
However, today the role of risk management is not contained in just one department. It´s usually managed with a cross-functional team. A modern risk management strategy is developed primarily with senior leadership, C-level executives, and the company´s Board of Directors. When it comes to security risk, leadership of cyber risk mitigation may fall to the CIO, but cooperation and collaboration is required from all areas of the company.
Potential Risk Factors
When reading a company´s annual report, the first few pages usually contain an analysis of risks to the business, often labeled as “Risk Factors.” This section outlines the expected impact those risks may have on the company.
Common Risk Factors usually fall under the categories of Financial, Operational, IT/Security, or Other.
IT/Security Risk Management
IT/Security risk has its own category, but it can also have an impact on other categories of risk, such as financial risk or operational risk.
Typical areas of security risk:
- Contract risk (any outsourced IT services or other partners)
- Hardware and software failures
- Exposure of employee, customer, or business-critical data
- Viruses, phishing, and human error
- Hackers, fraud, password theft, denial-of-service, and security breaches
In order to mitigate those areas of security risk, the CIO can´t work alone. Security risk mitigation requires leadership from multiple other areas of the company in addition to the IT department. For example, the CFO and Finance department can strengthen supplier policies and increase insurance coverage to reduce the impact of a potential cyber-attack.
IT systems and technology to increase the security of your online presence is not a comprehensive plan to security risk mitigation. Training staff about security awareness and how they can mitigate phishing attacks is another necessary component of security risk mitigation.
What is the financial impact of cyber-attacks?
The financial impact of a cyber-attack is not just the number you hear about in the media regarding the amount a company had to pay in ransom. There are many other factors that can take a huge toll on the company.
Factors that make a financial impact during or after a cyber-attack:
- Additional internal staff wages or external hires to handle the damage
- Damage to credit or insurance premiums
- Extra PR to repair brand damage
- Additional training
- Downtime of operations during a cyber incident
- Potential lost business due to incident
IBM´s research shows that the average cost of a data breach globally is 3.86 Million USD. That number is not insignificant. This is why prevention and risk mitigation of security threats is important to lower the financial impact.
Rapid detection of a security breach minimizes the financial cost to the business and reduced the data loss according to Kaspersky Labs. Therefore, the Finance department would benefit by working closely with IT to develop resources that improve cyber threat detection.
Role of Finance in mitigating cyber risks today
Cyber incidents can pose a large impact on financial stability and the cost of a data breach can be significant as already mentioned. The Financial Stability Oversight Council in the U.S. has been analyzing cybersecurity as a primary risk to financial stability since 2012. As the two areas are interconnected, the Finance department should be actively involved in collaboration with IT leadership in developing and implementing policies and procedures that support cyber threat mitigation.
Ash Noah, an industry-leading financial executive and advisor, thinks that it is critical for finance executives and team members to play a driving role in preparing for and addressing potential cyber risks. The involvement of Finance in cyber threat mitigation is essential for the long-term growth of the organization, according to Noah.
Kaspersky states that the only way to curb the financial impact is by taking a holistic approach to IT security, and not only relying on detection technology. This is where employee security awareness training can make a big impact.
Why the Finance department should be a champion for security awareness
A data breach can happen at any time, and it only takes one click for a hacker to gain access to your company´s data. Apart from the technological tools in place to mitigate security, employee training on security awareness is a key element to mitigating the threat of hackers and phishing attacks. To avoid a data breach and minimize the financial impact of a cyber incident, you need an effective phishing training.
People-first phishing training trains your employees so that they can detect and report phishing attacks to prevent a cyber incident. The Finance department should be a key supporter of security awareness and phishing training that improves incident detection, as it also reduces financial uncertainty from a potential cyber-attack.
In a previous article, we discussed how to gain leadership support to invest in people-first phishing training. That article gives examples and tips about how to communicate the threat landscape to leadership across multiple departments. It also explains the ROI of strengthening your company´s resiliency, which is a metric that most Finance departments would be interested in.
Security awareness training can help the organization save significant financial resources by lowering the chance of a cyber breach through human error. This why the Finance department should work closely with IT in security risk mitigation.