What CFOs Should Know About Their Cyber Programs

With today’s threats to information security, cybersecurity risks should be considered part of an overall enterprise risk management program for any business. The impacts to the organization from a cyber-attack are swift and can be devastating.

Information security is a complicated issue to manage because each organization’s vulnerabilities to cyber-attacks are different. Systems in place and control environments are highly customized, and federal and state regulatory requirements will vary based on your industry and operational location. Although there are best practice frameworks to use for managing information security, the devil’s in the details with how those frameworks are configured for your organization’s needs.

CFOs and business leaders can help their organization manage the information security function by reviewing the following core areas of risk.

Policy & Governance Processes

There are several best practices for policy and governance processes. Leadership should consider whether they have a dedicated person responsible for the organization’s data security who meets with leadership (and the company’s audit committee) to discuss threats and ongoing risk mitigation efforts. By putting one person in charge of this responsibility, leadership has a resource with which to discuss concerns and address questions about how the organization’s information security effort is going as a whole. Other best practices include whether critical security related practices and policies (password changes, privileged account access, etc.) are documented and reviewed annually. It is important that there is training in place on cyber risk awareness for all employees.

Tactical Areas of Focus

Every organization has unique risks, but there are core areas where information security breaches and cyber-attacks are common. To address these tactical areas, CFOs and financial leaders should consider whether your organization has a vendor risk management program that routinely reviews security practices for service providers that process or store critical and sensitive information. It is also critical to make sure your organization performs social engineering and phishing simulations periodically to assess training and awareness. Security patches should also be routinely catalogued, prioritized, and scheduled for timely updates to all connected devices and software within your organization.

Information for Boards

Boards of directors (and investors) play a critical role in the cybersecurity risk management process, but to be effective, Boards need to be informed about the steps the company is taking to protect its information. CFOs and leadership teams can help the Boards have the insight they need by having detailed conversations with members of the IT team about the enterprise-wide approach being taken to mitigate information security threats.

Specifically, boards may be asking the following questions, which CFOs and leadership teams should be prepared to answer:

Do you have an IT security strategy and plan that is aligned with your highest value information?
What makes you feel confident in your security and controls over the company's data?
Would your organization be able to detect a breach? How often does management review incidents and breaches and when was the last one?
When was the last time the organization had an IT security assessment performed against a standard security controls framework?
When was the last time key suppliers and partners were reviewed with respect to access to data and systems?
What investments are you making in improving your employees’ understanding and everyday use regarding information security?

Put Your Cyber Approach to the Test

With so much to consider, it can be difficult to get your information security evaluation started. Our team may be able to help. For additional cybersecurity questions or a complimentary consultation on your cybersecurity program, please contact us.

Published on June 15, 2021