Defending against cyber-risk is the future for boards, auditors and finance executives, say regulators. It’s expensive, resource-intensive—and unavoidable.
Data security has emerged as the No. 1 risk concern for many companies today, and finance executives across the board are worried.
“Cyber-risk is the thing that keeps me up at night,” says Mark Mishler, veteran CFO, founder of CFO Resource Management and a professor of finance and accounting at Seton Hall and Rutgers universities. “When you think about public services being hijacked with ransomware, companies have the same problem,” he adds. “If that is allowed to continue, it will have a huge negative impact on commerce and the economy as a whole.”
These concerns are also having a significant impact on the role of the CFO, the board and auditors. “Cybersecurity represents one of the most significant economic, operational and national security threats of our time,” Kathleen Hamm, a then-member of the US Public Company Accounting Oversight Board (PCAOB), said in a speech to the 18th Annual Financial Reporting Conference in May. “The government, private institutions and individuals each share responsibility for protecting our individual and collective assets and each other from cyber threats. Public companies and their officers and directors have important roles as well. So do auditors.”
This may be remembered as the year data insecurity broke big. Newly published research by Risk Based Security, a cyberprotection consulting and research firm, concludes that more than 3,800 publicly disclosed breaches exposed 4.1 billion personal records in the first half of 2019, up 54% over the same period last year.
In one of the largest bank hacks to date, over 100 million Capital One accounts and credit card applications were accessed, revealing up to 140,000 Social Security numbers in the US and 1 million Canadian Social Insurance numbers in Canada. First American Financial, a Fortune 500 company providing title insurance and settlement services to the real estate and mortgage industries, reportedly exposed customer financial records as far back as 2003. In June, the American Medical Collection Agency (AMCA), a healthcare-related debt collector, reported that more than 19 million medical records were exposed. Consumer lawsuits were filed within days of the initial breach disclosure and AMCA was forced into bankruptcy within weeks.
Companies surviving the fallout of data hacks have faced significant penalties. The 2017 Equifax breach that exposed sensitive information of many millions of cardholders was settled this year with a fine of at least $575 million that may reach up to $700 million. Yahoo, consequent to the discovery of data breaches affecting roughly 3 billion account holders worldwide between 2013 and 2016, has agreed to pay $117.5 million in class-action suits; and Yahoo’s current owner, Verizon, plans to spend $306 million between 2019 and 2022 to secure customer data.
Securities regulators, standard setters and accounting bodies around the world are redoubling their efforts to make sure companies in all sectors put cyber-risk mitigation and reporting high on their agendas. The EU, in particular, is moving fast, requiring that internal auditors and board members stay on top of a vast amount of regulation as well as anticipate how future regulatory developments will roll out. According to a 2018 report by Deloitte, bank executives with responsibilities for cyber-risk will be tasked with a number of “key actions” going forward. More specifically, these include early contact with supervisors to discuss emerging concerns, measuring changes in their exposure to cyber threats, understanding the evolving regulatory and risk environment and establishing a clear line of accountability for data security.
US companies also got a wake-up call in 2019 from the Securities and Exchange Commission (SEC) with the release of data showing that supply chain management is the weakest link in data security, as hackers have accessed vendors’ email accounts and inserted fraudulent requests for payments—and payment processing details—into electronic communications. Fraudsters have also corresponded with personnel responsible for procurement at US banks, requesting changes to vendors’ banking information and attaching doctored invoices. The SEC has called for increased scrutiny of manual processes and improved employee understanding of data security.
Global bodies responsible for training and certification of financial professionals are moving to ensure that the international financial-management community is not only aware of the risks, but prepared to take action. In a report published in May, the Association of Chartered Certified Accountants (ACCA), a global certification body, cautioned the financial-management community that much more work needs to be done on the cyber-risk front and that leaders at the corporate level must be accountable for their organization’s cyber-risk exposures. The group more specifically concludes that in the event of an attack, the CFO is accountable to shareholders and will be expected to provide accurate assessments of the potential damage as well as lead internal and external response.
The Way Forward
The ongoing war against cybercrime will have profound effects on the role of senior finance executives, corporate boards and their auditors, says Richard Swinyard, managing partner and CFO at Computer Integrated Services, an access management and security services company. The heavy focus on data security and compliance in the audit world will drive CFO behavior in particular, he says: “If companies can show they’re ahead of the curve, it’s a source of competitive advantage.”
This means the CFO must understand the changing cyber-risk environment as well as the evolving regulatory scene, he adds; the biggest challenge will be building knowledge and working out what’s acceptable financially.
For the senior finance executive, knowledge is the first line of defense, says Carolyn Zhang, division CFO at Tekni-Plex, a globally integrated packaging manufacturer. “As guardians of the company’s assets,” she says, “we need [to gain] a good understanding of the risks, then implement a strategic cyber-risk protection and mitigation agenda, make the CEO believe the program is necessary and then carry it out.”
While email can leave an open door to hackers, the security of advanced cloud-based technologies and data storage is also in question. When it comes to data security, says Zhang, “We’re really questioning the concept of what is the cloud. Our concern is, who can see into the cloud, and how equipped is it to protect our data?” The CFO’s job, she says, is to find answers to these questions before making an investment in cloud-based technologies.
Auditors, too, are being encouraged to step up their game when it comes to evaluating companies’ ability to detect and prevent cyberfraud. Going forward, the PCAOB’s Hamm says auditors will be expected to take a deeper dive into the cyber-risk exposure and the controls companies are putting in place to minimize attacks.
Her recommendations translate into more-rigorous corporate governance around cyber-risk. Auditors will be asking companies to document the methods they use to prevent and detect cyber incidents that could have a material effect on their financial statements. Auditors will also look at the processes companies use to identify and block unauthorized transactions and to address a material cyber incident once it’s detected, how they ensure the board is informed, when breaches are disclosed to investors, whether or not systems have been evaluated for vulnerability to cyberattacks, and what the expected impact would be on the company’s operations and financial outcomes.
As to what corporate boards need to do now, the ACCA strongly recommends they ensure that the responsibility and accountability for cybersecurity is properly placed; cyber-risk assessments are made regularly, and risk is quantified; appropriate resources are allocated to risk prevention, including talent; and breach-recovery programs are in place. Perhaps most importantly, the ACCA emphasizes that finance executives must “appreciate that it is not a question of ‘if’ you are attacked, but of ‘when’ and ‘how.’”