Corporate leadership must be involved in managing and guiding the direction of a company’s defense against cyber threats. Cybersecurity is not just an information technology responsibility, and finance chiefs should be prepared to partner with the chief information officer in the planning and oversight of cybersecurity preparedness.
Specifically, the CFO needs to understand the relationship between cyber threats and the investments needed to mitigate them. Fortunately the Federal Financial Institutions Examination Council (FFIEC), an interagency governmental unit, has developed a free Cybersecurity Assessment Tool that can go a long way to helping finance chiefs to grasp that relationship at their companies.
Developed in response to the increasing volume and sophistication of cyber threats, the tool, which can be accessed via the FFIEC website, enables companies to evaluate whether their companies cybersecurity preparedness (also known as cyber”maturity”) is aligned with the organization’s risks. Subsequently, it can help CFOs determine what actions should be taken to appropriately align the two.
Special Sauce
The FFIEC tool has two basic elements: a risk profile and a maturity level assessment. The risk profile enables finance chiefs to categorize their companies’ cyber-related activities, products, and services (such as web-facing applications, digital payments, and frequency of system changes) and identify corresponding risks. This allows management to determine the company’s overall risk tolerance and the corresponding degree of cyber preparedness necessary to match the level of cyber risk.
The maturity level assessment provides a measure of how an organization manages its cyber risks. Using the tool, organizations can rate themselves from “baseline” to “innovative” in how they manage risk, across various groupings of risk management activities and practices, by selecting the descriptions that most closely match the organization’s cybersecurity activities in each grouping.
The combined risk profile and maturity level assessment should provide guidance about which areas have significant risk exposure and indicate what types of changes may be required to minimize risk. In general, a higher level of cyber risk requires a more mature set of control processes and mechanisms.
At this point, the CFO should coordinate with the CIO and IT management to evaluate the required investments, if any. Finance chiefs should provide meaningful cost/benefit analysis of such investments in order to address areas of significant risk exposure.
This includes determining how to handle the risks identified: Should the company mitigate risk by addressing any identified cyber maturity gaps? Are these deficiencies and their risks acceptable? If not, what investments or resource changes, such as outsourcing and insurance, are required to address them?
To illustrate, here are two common risk scenarios many organizations face today. The tool could be used to determine an appropriate level of cybersecurity maturity.
Scenario 1. Company A contemplates allowing employees to connect to the corporate network with personal devices. Using the assessment tool, the CFO determines that there is significant inherent risk in allowing employees to connect multiple device types with access to email and other core applications. The finance chief also finds that the company has only rudimentary data loss-prevention controls currently in place. According to finding gained via the assessment tool, this level of risk correlates to a moderate level of cyber maturity and demands these security measures:
- the implementation of data loss-prevention controls;
- a mobile device-management platform that includes integrity scanning; and
- active software validation over the devices.
Therefore, in determining whether to move forward with the initiative, the CFO should meet with IT management to conduct a thorough cost/benefit analysis, comparing the capital costs and operating expenses against the level of risk exposure and perceived benefits to productivity.
The finance chief might also collect data on the costs of providing comparable access through company-owned and controlled devices. Using this data, the CFO would be able to provide an insightful recommendation as to the pros and cons of granting employees company access through personal devices.
Scenario 2. Company B allows third-party suppliers to connect to its internal systems via a remote connection. Using the assessment tool, the CFO finds that there’s moderate risk based on the number of third-party users gaining access to internal systems and the level of complexity involved in gaining access. According to the finance chief’s findings gauged via the assessment tool, this level of risk, correlating to a moderate level of cyber maturity, would demand the following security measures:
- validated inventory data sets and connections;
- security controls that detect and prevent intrusions from third-party connections;
- monitoring of all external connections; and
- active tracking of third-party user access privileges.
Therefore, to increase its cyber maturity level, the company might need to implement added controls related to the monitoring of external connections and tracking of third-party user access privileges. The finance chief should coordinate with IT and relevant members of executive management to develop a recommendation similar to the one Scenario 1. Further, the CFO should take part in the identification and validation of certain data sets which the company may not wish to share with third-party users, like customer listings or pricing data.
Conclusions drawn from using the FFIEC Assessment Tool can help CFOs aid their companies in planning for the future. The tool can, for instance, help CFOs answer tough questions like: Is the company investing enough to protect against cyber threats? Is the company focusing on the right areas? Is the company able to anticipate when changes are needed?
The level of preparedness determined from using the model can also have a significant impact on business transactions, especially on potential mergers and acquisitions. If a company is positioning itself for acquisition, its management can use the tool to assess and manage the level of risk observed by a potential buyer during due diligence. The target company would then be prepared to answer any cyber-risk-related inquiries meaningfully in the context of its level of cyber maturity.
Conversely, if a company wants to acquire another company, the potential acquirer’s management can assess the level of risk the target represents. The potential acquirer will also be able to conduct meaningful due diligence questions to assess the target’s cybersecurity maturity.
The ultimate objective of tools such as the FFIEC Cybersecurity Assessment Tool is to help companies identify potential hazards within their current operational structures and gauge their organizations’ levels of cyber maturity. These tools offer a repeatable and measurable way to prepare for and mitigate potential cybersecurity risks.
Patrick Morin is a principal and director of the risk and business advisory practice at Baker Newman Noyes, an accounting and consulting firm.