For CFOs, Cybersecurity Risk Is Like an Iceberg

Hidden in the depths are cybersecurity perils that could really bring down suppliers, partners, and systems.
Jeffrey A. BurchillJuly 7, 2015

Prior to 2005, people occasionally speculated on what might befall New Orleans if a major hurricane were to land. The conversation was merely academic until the horror of Katrina played out in stark reality.

Jeffrey Burchill, CFO, FM Global

Jeffrey Burchill, CFO, FM Global

The naïve, pre-catastrophe state is very much like where we are today with cybersecurity. The data breaches American businesses have experienced so far are mere thunderstorms and nor’easters. Most of us have yet to suffer the fearsome Big One.

Are we truly ready for bigger and more serious cyberattacks? Do we even know what all the risks are? Many are obvious, but others are hidden. For CFOs, cybersecurity risk is like an iceberg.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Above the waterline are the visible concerns: hackers, malware, and valuable data. Many business leaders have done a pretty good job addressing these vulnerabilities (not perfect, but pretty good). We’ve heeded our boards’ concerns and sat down with our CIOs to shore up our technologies, password practices, and email usage guidelines. By and large, employees today know enough not to click on weird links from suspicious senders.

Opinion_Bug7Hidden in the murky depths, however, are dangers that could really bring down the ship: suppliers, partners, systems, and internal actors. To fully protect a company, CFOs should lead it in a thorough review of these areas of vulnerability.

Your suppliers. No matter how well you’ve secured your own business against cyberthreats, you’re still exposed to risk through your partners. Let’s say you’re a manufacturer: what if one of your key suppliers is attacked, disrupting that supplier and your operations as well? In this way, a cyberattack can look very much like the Thailand floods that roiled the tech industry in 2011, making winners of companies with resilient supply chains.

Although a supply chain disruption may not be your fault per se, that fact doesn’t protect you from the repercussions. Smart companies will shore up risks throughout their supply chain so that they can sail through potential disruptions or bounce back before competitors. These are the companies whose reputations grow – as does their market share, revenue and shareholder value – during turbulent times. Unprepared companies suffer the opposite fate. Be proactive in the enterprise risk management process in ensuring the resilience of your partners and suppliers, and verifying their cybersecurity certifications.

Partners. No matter how secure your supply chain, your service partners are also points of vulnerability. What if hackers attack your bank, steal your money, or seize your sensitive information? What effect will that have on your business?

Systemic threats. A data breach is terrifying enough. You can lose customer names, financial information, intellectual property, and private health information. What we have not seen yet are cybersecurity’s unthinkable property threats. What if a hacker gains control of the power grid, a water treatment plant, or a blast furnace?

Internal threats. Firewalls used to keep the bad guys out. Now reality forces us to accept the likelihood they’ll get in, either by phishing or working for you. What do you do once the worm’s in?

Just as emergency flood response plans assume the water will come, and fire drills assume there will be flames, CFOs need to ensure their companies have plans that go far beyond the prevention of successful cyberattacks. Plan for detecting them, containing them, expunging them and safely resuming normal operations.

Cybersecurity, however, is a still-developing exposure, and there’s a lot of unknown about the myriad ways a cyberattack can devastate a business, much less a community or nation.

Many of American business’s cyber-risk management processes are based on limited experience with past attacks, but it’s clear that more will come. In some cases, there will be incidents that CFOs like us have yet to contemplate or experience. These Big Ones will affect data, systems and infrastructure in new ways. Profound ways. Are you ready?

Jeffrey A. Burchill is senior vice president of finance and chief financial officer of FM Global, one of the world’s largest commercial and industrial property insurers. Burchill has held this position since 1999.