When the U.S. Securities and Exchange Commission (SEC) recently announced that the CFO of SolarWinds faced potential civil enforcement action following a major cyber-attack, the message was clear: CFOs could face being held personally accountable following a cyber breach.
No longer would it be possible for CFOs to delegate all responsibility for cyber security oversight to their company’s CTO or CISO. From now on, cyber security would have to be on every CFO’s radar.
In this blog, we explore why CFOs could be ideally placed to help organisations mitigate the real-world effects of cyber risk.
CFOs: It’s time to start seeing cyber risk as business risk.
As a seasoned finance executive, you are conditioned to be on the lookout for potential threats that pose a risk to your organisation. A business risk could emerge from any external or internal factors that threaten to minimise your business’ gains or maximise your business’ losses.
The key to good risk management is identifying which threats could pose the greatest harm to your business, whilst also being the most likely to occur. This allows you to prioritise a wide range of potential threats, before systematically implementing controls that reduce the likelihood of those threats occurring – a process known as risk mitigation.
Of course, it’s impossible to reduce risk down to zero. There will always be a small chance that some threats will occur, despite having controls in place, and these will negatively impact your business. This is known as residual risk. You need to determine the level of residual risk your organisation is comfortable living with – and, where appropriate, take-out insurance policies that will help you cope with those risks if those threats do end up occurring.
But, while CFOs have long been leading advocates for reducing organisational risk, there has, until now, been one blind spot: cyber risk.
For a variety of reasons, there has been a tendency for CFOs to take a back seat when it comes to managing cyber risk, preferring to leave this matter to their company’s CTO or CISO. This tendency may stem from a sense among many CFOs that cyber risk is technically complex, and thus should be left to those who have a deeper understanding of that technical complexity.
Whatever the reason, times are now changing. CFOs increasingly understand that cyber risk can pose an existential challenge to their organisation. In navigating this evolving landscape, CFOs can seek the help of an external cyber security company with the right expertise to help them understand cyber risk in the context of their business and ensure sufficient resources are allocated to mitigating those risks down to a level the organisation is comfortable living with.
It’s time to start seeing cyber risk as business risk.
Case Example
How a cyber-attack put one CFO in the firing line.
SolarWinds is a leading U.S.-based company that develops software to help organisations manage their IT infrastructure. The company’s Orion platform is designed to allow users to monitor their digital environments for anomalies. As such, Orion can penetrate deeply into a user’s network, accessing highly sensitive systems.
Among the thousands of SolarWinds customers are many leading corporations, as well as numerous U.S. Government agencies.
In December 2020, SolarWinds revealed publicly that its Orion platform had been the subject of a cyber-attack. Malicious actors had manipulated the platform in a way that introduced a hidden security vulnerability into the environments of Orion users when they performed a routine software update.
This vulnerability allowed the malicious actors to gain unauthorised access to Orion users’ networks, posing a national security risk to the U.S. given the number of Government agencies using the platform.
If that weren’t bad enough, it later emerged that the publicly listed company had delayed informing investors or the stock market about the Orion breach. The SEC claimed SolarWinds had overstated its cyber security practices to the market, and understated or failed to disclose, known risks. This was the reason the SEC announced that the company’s CFO could face potential civil enforcement action.
Whilst civil enforcement action against the CFO has yet to be pursued, this episode is an important wake up call for all CFOs. You need to be across cyber risk, just like you are across other types of business risk. Not being across cyber risk could have serious consequences for your organisation, as well as for you personally.
CFOs can lead the way in reducing cyber risk.
Many organisations have sought to minimise cyber risk by aligning to maturity-based frameworks, such as the NIST Cyber Security Framework. Such frameworks focus on strengthening cyber security maturity by building your organisation’s capabilities over time.
For example, such frameworks might advocate developing appropriate governance structures, implementing identity and access management controls, and putting Multi-Factor Authentication in place.
Whilst each of these capabilities will help strengthen cyber resilience, implementing them all can be a burden for an organisation with limited resources. Such frameworks also do not take into account the fact that each organisation is different and may face a unique set of cyber threats. Lavish adherence to such frameworks could mean that organisations focus on implementing cyber capabilities that are expensive and time-consuming, whilst doing little to quickly address the most severe cyber threats the organisation faces.
For these reasons, leveraging the expertise of a cyber security services provider can help an organisation embrace a risk-based approach to strengthening their cyber security.
A risk-based approach assesses the unique circumstances of your organisation. It examines the cyber threats that present the greatest risk to your organisation, whilst taking into consideration the likelihood that such threats will occur. It then enables business leaders to allocate limited resources to implementing controls that will reduce those threats that are assessed as being most critical.
CFOs, who are often experienced in assessing and mitigating non-cyber risk, can also play a vital role when it comes to cyber risk. With the right support, CFOs are uniquely placed to help guide their organisation in applying a risk-based approach to reduce cyber risk.
CFOs are on the frontline of cyber risk
A cyber security service provider can help.
It’s important to start thinking about cyber risk as another form of business risk. This paves the way for your organisation to embrace a risk-based approach to cyber security.
CFOs can use their experience in risk management to help shape the thinking of their organisation’s board and leadership team, including the CTO and CISO. CFOs can demonstrate that a risk-based approach is ideal for ensuring limited resources are allocated to the most critical threats your business faces.
When it comes to conducting effective cyber risk assessments, having a team with deep cyber security knowledge is essential. That’s why many organisations turn to cyber security service provider, Virtuelle Security, for a helping hand.
Our highly trained Governance, Risk and Compliance (GRC) team can guide you in all aspects of cyber risk assessment and remediation. We work with your existing cyber security team to ensure risks are accurately assessed, so you can prioritise resource allocation and control implementation.
Contact us today for a FREE consultation with Robert Kirtley, our Cyber Security Director, and learn how Virtuelle Security stands ready to help you efficiently remediate cyber risk.