Finance teams becoming involved in cyber risk mitigation oversight
CFOs and their finance teams are toughening policies on suppliers and increasing insurance coverage as they are asked take on a larger role in defending their companies from emerging cyber risks, according to a new survey of Chartered Global Management Accountant (CGMA) designation holders.
More than 95% of CGMAs surveyed said their companies are concerned with the threat of database breaches, DDoS attacks, phishing scams and other cyber attacks. Nearly three quarters, 72%, said their companies have asked the finance function to take on more responsibility to mitigate these risks.
Additional findings from the survey include:
- 30% of respondents said their business fell victim to a cyber attack in the past two years – an increase from 22% in 2014
- Over 20% of respondents said cyber threats are worse than what has been reported in the media
- Fear of the threat of cyber attacks is increasing, with about 68% of respondents saying their company is moderately or significantly concerned with the threat of cyber attacks, compared to 62% in 2014.
As part of cyber risk mitigation tactics, respondents toughened their policies regarding third-party vendors to address potential vulnerabilities (31%) and secured or increased liability insurance in the event of business disruptions due to data breaches or cyber attack (23%), among other strategies.
As the cyber risk climate evolves, it is critical for all organizations to employ an effective risk oversight and mitigation program. Strategic steps organizations can take to protect their businesses include:
1. Take an assessment of the efficacy of the organization’s current approach to cyber risk oversight in the light of emerging threats.
2. Consider the extent to which critical risks may occur and not be detected by silo risk managers and implement greater cross-collaboration throughout the organization.
3. Assess the extent to which cyber risk management is an important input to the strategic planning process and adjust risk management processes as needed.
4. Implement a structured set of cyber risk identification, assessment and monitoring processes that requires focus and accountability at the board and senior management levels.