CFOs Disregarding Cyber Risks

But government surveillance and the Heartbleed security bug may finally draw their attention to data security vulnerabilities, one consultant thinks.
David KatzApril 29, 2014
CFOs Disregarding Cyber Risks

DENVER — CFOs and corporate treasurers may be asleep at the wheel when it comes to the risks to data privacy and security their organizations face.

It’s hard to come away with anything but that impression from the results of a Marsh survey on excellence in risk management released yesterday at the annual Risk and Insurance Management Society conference. Particularly striking was the discrepancy in the degree of alarm expressed by C-suite executives when compared with corporate risk professionals

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

According to the survey, which drew 600 responses — 87 percent of them from risk professionals, 10 percent from the C-suite (mainly CFOs and treasurers) and the rest from chief risk officers — risk professionals ranked data privacy and security as the top risk their companies were facing in 2014. By contrast, C-suite executives ranked it 12th.

securitylockInstead, the C-suite respondents ranked legal or regulatory shifts number one (risk professionals ranked them seventh). Concern about data breaches, however, is rising among CFOs and treasurers: Data security and privacy ranked only 26th on their risk list in 2013.

Still, just 52 percent of the entire group regarded cyber attacks as a current concern, while 6 percent actually felt that such breaches are “unlikely to ever impact our organization,” according to the survey.

According to another, earlier survey, the indifference to cyber risk is endemic at the higher reaches of corporations. In a 2012 Carnegie Mellon Cylab study of 108 board members and senior executives of Forbes Global 2000 companies, 57 percent of the respondents weren’t analyzing whether they had enough cyber insurance coverage or undertaking key activities related to cyber risk management. Such activities could “help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches,” according to the study.

The report also found that boards were lax on such key cyber oversight activities as reviewing risk management budgets, assessing security programs and creating top-level policies. They were also failing to assign leadership roles for privacy and security and weren’t receiving regular reports on breaches and information technology risks.

For their part, “CFOs haven’t paid attention at all” to cyber risks, said Jody R. Westby, the author of the Carnegie Mellon report and chief executive officer of Global Cyber Risk, a consultancy, in an interview at the RIMS conference. “They’ve been troglodytes for years.”

Finance chiefs have tended to delegate cyber risk to IT teams and then refused to think more about it, she said. “But a CFO that does not pay attention to cyber risk and make informed funding decisions is a risk to the organization,” Westby added.

But this year will be different, according to the consultant. That’s because such news stories as those involving the National Security Agency’s collection of millions of phone records and the Heartbleed encryption bug will finally galvanize finance chiefs.

The notion that U.S. companies’ customer data might surreptitiously be scanned or accessed by the government represents a big competitive advantage for European and Asian companies who can claim that “our data’s not going into government hands,” said Westby. “This has gotten the attention of boards and CFOs like never before.”

Noting that Heartbleed is one of the most severe cyber threats to corporations to date, she said that the bug created “a month of vulnerability” for one of her client companies, forcing it to scan its systems to identify the bug and communicate with its technology vendors to track its path. More broadly, such attacks cause anti-virus vendors like McAfee to change their software updates numerous times, thereby adding complexity and confusion to the process for end users.

Image: Thinkstock