As the principal corporate officers responsible for their companies’ financial operations and conditions, CFOs are, of course, acutely aware of the direct costs of cybersecurity breaches. According to the EisnerAmper Cybersecurity Survey, which focused mainly on businesses with revenues of $50 million to $500 million, 43% of the companies that suffered a breach incurred costs of $100,000 to $499,000.
But the “all-in” costs of a cyber breach can run much higher than that. By one estimate, the average cost of a data breach for U.S. companies of all sizes was $9.4 million in 2022. This included not only direct costs for forensic/investigative services and post-breach remediation but also notification to customers and partners, as well as the near-term interruption and/or loss of business. Beyond the immediate costs, however, the impact on corporate and brand reputation may result in the long-term loss of revenue due to the erosion of customer confidence, which may not be possible to quantify accurately.
While cybersecurity budgets have been rising in an effort to keep pace with the growing number of cyber breaches, it is questionable whether the amounts being spent to prevent breaches are equal to the magnitude of the risk. For 45% of the companies surveyed, the average annual cybersecurity budget was between 4 to 9% of overall IT spend. Alarmingly, however, 32% of respondents are allocating just 1 to 3% of the IT budget to cybersecurity.
Protecting businesses from cyber breaches is not just a matter of spending more but also of taking smart preventative measures to reduce the company’s cyber vulnerability. As financial stewards, CFOs can play a key role in advocating for actions that may not only help reduce the cost of cyber risks but may actually save money for the enterprise.
Training a company’s workforce to recognize and repel cyber threats is an investment that can have significant ROI. Yet, a surprising percentage of businesses are not sufficiently invested in training. Half of the surveyed respondents’ companies conduct regular training and 31% have never held a training event.
The importance of training is underscored by a vital fact: 71% of the executives we surveyed think their next cybersecurity breach will come from inside the organization, likely due to accidental staff error. The CFO can help to ensure that an appropriate amount is budgeted for training.
In our experience, engaging a third party to evaluate the company’s cybersecurity posture is an investment that pays major dividends. Such an evaluation should include a vulnerability scan for malware, a comparison of the company’s defenses versus a “best-case” framework to identify gaps, and recommendations for policies and protocols to remedy potential security lapses.
The ultimate goal of any hacker is to extract money from a business. As such, businesses should include a cash disbursement audit as part of the assessment to determine whether the processes being used to issue corporate funds have controls commensurate with the risks. A series of well-thought-out controls can have multiple layers of assurance that can safeguard a business so that even if a hacker does enter into a conversation they would be thwarted by such controls or at least damage would be minimal.
The fact that cybercrime is a constantly evolving threat argues for the use of outside consultants, who will have experience across multiple businesses and situations. For example, we are seeing more and more cases where malware may have been installed months ago but was not used immediately. Rather, the malefactors used their entry into the network to “scout around” for weak points, tempting targets, and other information they might use to their advantage. It’s as if a burglar broke into a home and hid in the attic for a few months, using the time to learn where the family’s valuables are kept.
One of the key elements of a comprehensive cybersecurity assessment is Identity Access Management (IAM). Essentially the IAM process is an inventory of internal employee access, such as email addresses and authorized users of the company’s VPN. We often find companies still have large numbers of former employees’ and consultants’ identities on their systems, a problem that has proliferated due to remote work models and the recent wave of staff reductions. Bad actors can use these inactive accounts as entry points into the company’s network. For example, our firm conducted an IAM assessment for one client that had roughly 400 employees but nearly 2,000 email accounts active in various systems.
Closing out inactive employee emails, including those of recently terminated or resigned employees, not only reduces the vulnerability to cyberattacks but can also eliminate some costs associated with operating larger-than-needed software licenses. Those are funds that could be redeployed into other cybersecurity initiatives.
Cyber liability insurance is increasingly common but it is important to read the fine print. Many cyber policies provide first-party coverage for forensic/investigative services, recovery or replacement of lost data, ransom payments, customer notification costs, lost income due to business interruption, fines and penalties, and related legal and crisis management expenses. A business may want to obtain additional third-party coverage, including payments to affected customers, claims related to litigation, and other settlements, damages, and judgments.
CFOs should be aware that in recent years insurance providers have begun tightening underwriting guidelines and clarifying coverage intent in their policy language. Due to an increase in cybercrime, greater claims frequency, and more severe ransomware demands, insurers are adjusting coverage and pricing to be more reflective of the potential risks and exposures. A careful review of the insurance policy language, terms, and conditions is essential to avoid being under-insured.
CFOs must carefully assess the financial impact of cybersecurity measures, including the training, third-party evaluation, and insurance factors noted above. While the cost of such protections can be considerable, it pales beside the cost of not having them in place. CFOs can and should play a vital role in ensuring that the investment in cybersecurity not only matches the potential risk exposure, but also is sufficient to protect the company’s ongoing operations, its established reputation, and its long-term brand value.
Rahul Mahna is a partner at Eisner Advisory Group and leads the outsourced IT services team.