Cyber-attacks and data breaches are appearing in the business press with increasing frequency and possibly even a diminishing level of shock and fear-mongering. This makes sense because, with data breaches a constant in the news cycle, they’re almost ceasing to really be “breaking news.” If your firm hasn’t yet discovered that it’s been hacked, just be patient and wait.

Those CFOs who honestly believe that their firms are immune to cyber-attacks and data breaches have already been quietly escorted from the building. The CFOs left standing understand that the cyber threat is continuous, and it is evolving, and it has the potential to be material to their firms’ results (um, that would be on the downside). Typically the CIO/CTO takes the lead in setting up IT defenses and manning the virtual parapets, but what is the CFO’s actual role in preparing for a cyber-attack?

In a recent article in CFO, Steve Durbin of the Information Security Forum (ISF) noted that a CFO can save a company the embarrassment and financial impact of a major breach by ensuring that his firm takes proactive steps in anticipation of targeted attacks. This involves taking the time to both develop a data breach response program and, as important, to rehearse the likely response scenarios before the breach is discovered. The CFO-led response needs to be practiced, precise, and predictable.

Steve adds that establishing cyber security alone is not enough for companies because “normal” risk management techniques focus on the management and control of known or discoverable risks. By its very nature, cyber risk is not something in the realm of the “known.” He suggests, therefore, that CFO extend his/her risk-management influence to include the concept of risk resilience, in order to manage, respond, and mitigate any damaging impacts of nefarious cyberspace activity. Steve notes that cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack. It anticipates a degree of uncertainty and recognizes the challenges in keeping pace with increasingly sophisticated threats from malspace.

Steve concludes that, in the past, while the CFO has not been viewed as a vital member of the security team at most global organizations, he/she plays a significant role in advocating for and pursuing critical investments that promote long-term business growth. Given the risks that cyber security threats pose in a technology-driven, global economy, today’s CFO must focus on cyber security to ensure that adequate steps are taken to preserve and protect the company’s reputation, stock price, and most valuable information properties.

Mitigating the risk of a data breach with insurance coverage is obviously part of the CFO’s strategy. Coverage should come from a cyber-security-savvy insurer with a complete understanding of the challenges that emerging technologies present to businesses. After all, in a world of rapid technological changes, it is vital for the CFO to always consider risk when pursuing opportunity – even if it’s a risk he/she won’t see until it arrives.

For more information, go to