When finance chiefs ask their teams what they’re doing to protect their employers from cyberattacks, they inevitably get answers involving “IT-specific concerns like malware, firewalls, and virus scans,” writes FM Global CFO Kevin Ingram in our special report on preventing cybersecurity.
But preventing cyber risks requires finance chiefs to look far beyond the realm of the techies. “CFOs need to pause and broaden their perspective, examine cyber-related business risk in the areas of physical security and in industrial controls as well,” according to Ingram.
That’s especially so, given that the work of hackers can have powerful consequences in the physical world. Indeed, cyber attacks have struck utilities and defense and aerospace contractors, Ingram notes.
Another non-tech area of cyber risk is mergers and acquisitions. Citing the threat to the $4.8 billion Verizon offer to acquire Yahoo represented by the massive data breaches that struck Yahoo, attorney Craig A. Newman writes that the breaches “underscore an increasingly complex, specialized, and sophisticated aspect of M&A transactions: cybersecurity due diligence.”
But even the most sophisticated corporate buyers are only just now beginning to grasp the extent of cyber risks at target companies. They can alter deal terms, valuation, and post-closing conditions, according to Newman.
Even when cyber risks are in the IT bailiwick, as when a distributed-denial-of-service attack against website manager Dyn left its clients Twitter, Spotify, Paypal, Airbnb, Etsy, and Netflix vulnerable to identity theft last October, key aspects of mitigating risks may be found outside the tech area. “Dyn clearly had a team of experienced professionals in place to resolve an attack that could have destroyed their business,” according to CBIZ Risk & Advisory Services managing director Christopher Roach.
But other companies might be spending too little on developing non-tech employees who are savvy about cybersecurity. “CFOs are spending millions of dollars on software and technology to protect their businesses from cyber crimes, and they should be investing more money in training their own people,” writes Roach.
Indeed, companies should likely step up their cybersecurity defense efforts, considering the growing sophistication of the hackers they face. In our Special Report Feature, “The Corporatization of Cyber Crime,” we report that the cyber underworld has become so organized that criminal groups increasingly resemble 9-to-5 companies, complete with vacation time off for “employees” and help desks to enable corporate victims to pay ransoms more efficiently.
“Buttressed by increasingly hierarchical and stable crime organizations, highly efficient and secretive means of communication, and digital currency, a variety of online criminals are able to move quickly when new opportunities arise,” we write. In such a climate, CFOs would do well to push their companies to develop quicker, more sophisticated responses to defend themselves.