The Importance of Empowering CFOs Against Cyber Threats

COMMENTARY

Cybersecurity has spurred many changes in the past five years, from the technology and tools needed to protect an organization from cyberattackers to the skill sets required by IT professionals. The consistent and ongoing ripple effect has also influenced organizational roles and responsibilities. Arguably, one of the most dramatic shifts has been the role of the chief financial officer (CFO).

Today's CFOs must be collaborative leaders, willing to embrace an expanding role that includes protecting critical assets and securing the bottom line. To do this, CFOs must work closely with chief information security officers (CISOs), due to the sophistication and financial impact of cyberattacks. Financial professionals understand data flows and financial processes, while security professionals know the latest cyber threats and best practices to combat those threats. Combining this expertise results in more informed technical investments, faster detection of anomalies, and stronger overall cybersecurity measures.

This enhanced approach is critical as we see payments and unsuspecting financial professionals increasingly become the targets of cyberattacks. Both are prime targets because of the volume of money and transactions they process, often manually leaving organizations even more vulnerable to phishing schemes that can go undetected for months. Collaboration between finance and security departments is crucial to threat detection, maintaining compliance, addressing third-party risks, and providing companywide cybersecurity education and training.

The Impact of a Security Breach

The increasing financial impact of a cyberattack alone mandates CFO involvement in cybersecurity matters. According to IBM's "Cost of a Data Breach Report 2024," the global average cost of a data breach reached $4.88 million in 2024, a 10% increase over last year. This substantial financial risk underscores why CFOs must now consider cybersecurity a primary concern for an organization's economic health.

CFOs are uniquely positioned to understand the potential financial devastation from cyber incidents. The costs associated with a breach extend beyond immediate financial losses, encompassing longer-term repercussions, such as reputational damage, legal liabilities, and regulatory fines. CFOs must measure and consider these potential financial impacts when participating in incident response planning.

Compliance Requires Protection

The regulatory landscape for CFOs has evolved significantly beyond Sarbanes-Oxley. The Securities and Exchange Commission's (SEC's) rules on cybersecurity risk management, strategy, governance, and incident disclosure have become a primary concern for CFOs and reflect the growing recognition of cybersecurity as a critical financial and operational risk.

The SEC's cybersecurity rules require public companies to disclose material cybersecurity incidents within four business days and provide periodic updates on their cybersecurity risk management, strategy, and governance. This places significant responsibilities on CFOs, who must ensure timely disclosure of cyber incidents and help to develop and implement risk management strategies. As a result, CFOs must work closely with CISOs, board members, and executives to establish effective cybersecurity governance and provide detailed reporting on the company's cybersecurity posture and incident response capabilities.

CFOs must also navigate other cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and similar state-level regulations, and adhere to industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA). These regulations carry significant financial penalties for noncompliance, further emphasizing the critical role CFOs play in managing cyber-risks. As a result, CFOs must now be well-versed in cybersecurity best practices, incident response protocols, and the evolving regulatory landscape to protect their organizations' financial interests and maintain compliance effectively.

Collaboration and Allocation

Adding to the complexity, the CFO is now a cross-functional collaborator who must work closely with IT, legal, and other departments to prioritize cyber initiatives and investments. They must also work with the CISO and chief information officer (CIO) to educate the CEO and the board on cybersecurity matters and communicate broadly, at times, with employees, customers, partners, and investors.

CFOs needs to consider the corporate strategy and broader business decisions as they help determine the company's approach and investment in cybersecurity tools and technologies. This level of decision-making requires CFOs to understand the cyber landscape, threats and trends, and viable investment strategies. This expanded role requires CFOs to help their organizations build resilience against cyber threats while ensuring that security measures are cost-effective and aligned with overall business strategy.

How CFOs Can Succeed

Working closely with CISOs, CFOs can become key players in protecting their organizations' critical assets and ensuring long-term financial stability. To succeed in this new landscape, CFOs must foster strong partnerships with CIOs and CISOs, develop a deep understanding of cybersecurity risks and technologies, and integrate cybersecurity considerations into all aspects of financial planning and risk management. Doing so can help organizations build resilience against cyber threats while supporting broader business objectives and growth strategies.