[The CFO] “Before we begin our monthly call, I have a question for you all. Who the heck is ‘iPhone5’ and how did he download our pro forma financials last Tuesday?”
Finance departments typically partner with IT to set up a secure financial information storage and sharing system — giving access across platforms, including mobile devices — but often neither function monitors who is accessing the data. Device-agnostic electronic access anytime, anywhere, increases the potential for a financial information data breach. “iPhone5” could be a journalist, a stock trader, a competitor, or a recently terminated employee — the access log just says “iPhone5.”
If the CFO is secretly hoping this is IT’s problem, unfortunately it’s not. Particularly in the case of M&A, financial statements, and proprietary company intelligence, a data breach can affect the bottom line. So it’s incumbent upon the CFO to guarantee the security of financial information — not only by making sure that proper access controls and technologies are in place, but also by making sure that everybody understands the importance of following the procedures.
Security vs. Productivity
But companies often find themselves on the horns of a dilemma. Working counter to data-security efforts are dedicated employees who need and expect to be able to share information wherever and whenever they wish — it’s a key component of an increasingly mobile and increasingly productive workforce.
A recent survey by CFO Research of 153 senior finance executives at U.S. companies confirmed that productivity frequently takes precedence over information security as employees race to meet deadlines and goals. In the survey, which was commissioned by the document management firm RR Donnelley, we found that only one-third (33%) of the respondents said their companies had a formal, enterprise-wide plan for controlling financial information electronically.
And it turns out that just having a plan in place isn’t sufficient. As one treasurer from a financial services firm put it: “We have a fairly robust set of controls in place. The one thing we need to do more of is training and updating employees so that we can be more confident that the rules are being followed.” This treasurer isn’t alone: 80% of survey respondents said their companies needed to improve their communication of security policies.
Virtual Data Rooms
For sensitive information, companies prefer the perceived security and control of internal electronic and collaboration tools. But those “secure” areas (e.g., internal drives, private clouds) are being accessed by employees using their personal devices with tweaked technical controls and security settings, multiple apps running in the background, and social-media sharing defaults long since forgotten. “Bring your own device” policies are making the weakest link in the security chain even weaker — and all too frequently, CFOs remain blind to the risk. (See Figure 1.)
For some of a company’s activities, the security offered by shared internal drives or private clouds may not be enough. One alternative to securely sharing financial information externally (as well as internally) is a data room — a discrete physical or electronic space where information is collected, stored, viewed, and controlled.
In our survey, we found that finance executives typically use data rooms for activities that require delimited time periods and more-rigorous controls. These include not only the traditional uses for externally focused activities such as financial reporting (43%) and M&A activity (42%), but increasingly internal uses as well, such as management reporting (35%) and board presentations (32%).
Virtual data rooms (VDRs) — the electronic version of a room with a door and locked-down files —have become a point solution of choice in recent years as a way to store and share documents securely. While 40% of the survey respondents reported never having used a physical data room within the past three years, only 24% said the same for VDRs. In fact, 56% of respondents said their companies have used VDRs either occasionally or regularly.
VDRs vs. The Cloud
With information technologies evolving at an exponential rate, companies now have more options than ever for collection, storage, management, and use of financial and competitive data. In particular, business use of the cloud is varied and growing.
When asked to compare cloud-based information storage and sharing services with VDRs, survey respondents saw the main benefits of the cloud being lower cost (45%), higher capacity (32%), and ease of use (28%). These types of benefits are typically more important when sharing routine finance information on a day-to-day basis.
The benefits of VDRs (versus cloud-based services), according to respondents, were better control over the information stored there (52%), increased security (50%), better usage tracking capabilities (information rights management) (46%), and greater ability to customize to end-user needs (35%). These characteristics are typically valued more in situations involving the most sensitive financial information.
Security by Example
However, one CEO responding to the survey pointed out an all-too-common reason for defaulting to technologies that may not be the most appropriate for secure data: “Better leadership in finance and IT [is needed]. These departments are supposed to serve the business. We use workarounds like Dropbox, Google drives, pen drives, and so on because IT too often doesn’t work right.”
That may be true, but it’s not the whole story. Financial information may be shared in a nonsecure fashion simply because an employee finds it easier, or because the importance of data security hasn’t been a focal point for the company. At the end of the day, even a smart technology solution and a strong corporate policy aren’t enough to keep a firm’s proprietary data safe. Employees, and a supportive firm culture, are the only real guarantors of security.
CEOs and CFOs should consider that a corporate culture of securing financial information must start at the top, with them. To build such a culture, CFOs must (1) work with IT to create a simple, clear set of firm policies for employees to follow; (2) ensure that firm policies are communicated clearly to all employees, monitored regularly, and reinforced by senior leadership messages; (3) personally model and reinforce the appropriate behavior.
[The CFO, one month later] “Before our monthly call, I wanted to let you know that I found out who ‘iPhone5’ is. It’s a little awkward, but I’m afraid it’s me. I forgot that I had looked at the financials on my phone on the train. But that doesn’t change the message: Finance owns financial information security. Let’s start acting like owners.”