As CFOs settle into the new year, routine concerns about cybersecurity readiness are being compounded by non-traditional, “nimble” technology-enabled competition, rapid globalization, and significant political changes in major markets, including ones stemming from the U.S. presidential election and the U.K. Brexit decision.
Despite the financial demands triggered by those uncertainties, some CFOs show signs of boosting their cybersecurity spending this year. That’s encouraging, considering that information-security budgets were essentially flat in 2016. They registered a barely perceptible 1% dip last year, according to PwC’s Global State of Information Security® Survey 2017.
While the outlook for IT and security spending is indistinct, one thing is certain: CFOs today are more involved in cybersecurity budget discussions and decisions. In large part, that’s because cybersecurity is no longer seen as a technology risk but rather as a business-critical financial risk. And that puts cybersecurity squarely within the purview of the CFO.
When it comes to cybersecurity, the CFO’s job is to help ensure that the company protects such data-centric drivers of business value as intellectual property and patient health information with the same rigor as it controls financial statements and reporting. CFOs have an obligation to allocate the right resources to cybersecurity and help ensure that any security investments deliver measurable risk reduction and safety value.
To do so, CFOs should oversee cybersecurity budgets just as they do their companies financial performance reporting: By making decisions based on a balance of risk management with internal controls. They can’t do so in a vacuum, however.
Across all areas of the business, many executives — including P&L owners, chief risk officers, chief operating officers, and others — are all required to help decide which risk-mitigation controls to implement, how much to invest in them and when to make risk tradeoffs. The CFO’s expertise in making risk-based decisions and operating a highly audited control environment (such as annual audits of internal controls of financial reporting under the Sarbanes-Oxley Act) makes him or her uniquely qualified to apply proven, risk-based principles to support decisions related to cybersecurity spending.
With digital businesses straddling industry lines to create new software-enabled connected products and services, the inherent risks and responsibilities for cybersecurity are shifting.
Increasingly, businesses are manufacturing devices that, when connected with the company’s operational technology and IT systems, enable them to deliver such digital services as home-security monitoring, in-vehicle diagnostics, and automatic maintenance of manufacturing plant equipment. Historically, cybersecurity incidents have resulted in theft of money. But when something goes wrong with connected products and services, the safety and well-being of individuals may also be at stake, and the responsibilities for remediation may be blurred.
Consider, for instance, the scramble to respond to a U.S. Food and Drug Administration alert issued on January 9. The bulletin warned that a specific cardiac pacemaker was vulnerable to hacking and, if compromised, could possibly result in physical harm to patients.
While the device maker released a software patch to automatically update the devices, the FDA also targeted healthcare providers, caregivers, and even patients in its alert. After all, physicians are ultimately responsible for patient well-being and patients needed to make sure their devices were connected to receive the software update.
As such a combined reaction becomes more widely necessary, businesses are finding that not all response funding and remediation activities will come from the IT and information security function. In the pacemaker case, for instance, the device maker’s chief medical officer or its product engineering group would be likely to bankroll costs and supply personnel for the remediation. As connected devices and the Internet of Things proliferate, such out-of-band security spending will also increase. CFOs will need to create unified controls and procedures to govern this new spending.
Just as responsibility for remediation is expanding, so too is the scope of stakeholders involved in internal cybersecurity discussions and decision-making. The conversation should include IT and cybersecurity leaders, of course. But finance leaders are also seeking input from a broader range of executives and managers. Chief among them are leaders from frontline operating units, such as product manufacturing and customer service. They alone fully understand the security needs of their business units and therefore should be actively involved in prioritizing risks and helping identify the right security controls.
It’s also critical that CFOs work with the CRO to aggregate and review company-wide risk exposure and ensure that security controls and models are within board-approved risk appetite parameters. And internal auditors should provide assurance that the risk management and security control processes are effective and operating efficiently.
There is a global deficit of cybersecurity talent, currently, which is bound to continue into the new year. Meanwhile, finance chiefs are acutely aware of the need to hold the cost of hiring trained cybersecurity professionals within the constraints of the company’s security budget. Many CFOs support managed security services as a way to address employee costs and ease the talent squeeze, which shows no signs of abating. In fact, a report by Cybersecurity Ventures predicted that the existing cybersecurity workforce gap will widen to 1.5 million job openings by 2019.
Already, two-thirds of CFOs responding to PwC’s information security survey have said their organizations employ managed security services to make sure that cybersecurity programs are managed in a cost-effective manner. Doing so can also help ensure that companies have access to highly trained cybersecurity talent within their budget constraints.
Another way CFOs can shore up the cost of funding security risks is through the purchase of cybersecurity insurance. This year, in fact, 61% of CFOs responding to PwC’s security survey said they bought cybersecurity coverage to help curb the financial costs of breaches of personal data, payment card information, and intellectual property, as well as damage to brand reputation.
As with other types of insurance, CFOs compare the company’s individual risk tolerance with the security controls it has implemented to determine the amount of insurance that should be purchased.
Cybersecurity insurance is not the only way that businesses employ a financial mechanism to mitigate risks. CFOs can also recommend the use of financial reserves to ensure that the business has the financial resources to quickly respond to and remediate incidents — much like the way reserves are employed in the financial services industry. While the use of reserves for cybersecurity remediation is not widespread, CFOs should consider this tactic to help ensure they have the financial resources necessary to respond to and remediate security incidents.
Christopher O’Hara is a principal with PwC U.S. and co-leader of the firm’s cybersecurity and privacy services.