BDO’s top ten things CFOs should do immediately about cyber security
26 September 2018
Original content provided by BDO
BDO has conducted throughout 2018 discussions with Chief Financial Officers (CFOs) from hundreds of global industries, including financial services, healthcare, government contracting, automotive, manufacturing, private equity, and law firms.
In these conversations, it became apparent that Chief Financial Officers are frustrated by a ‘knowing’ versus ‘doing’ gap. This is understandable, since most C-Suite or Board members Directors never receive appropriate cyber security education and training.
Chief Financial Officers need not become a Certified Information System Security Professionals. Rather, CFOs should increase their knowledge of core cyber security concepts and leverage their own leadership skills to conceptualise and manage risk in strategic terms and how best to invest their time and resources to improve cyber defence.
To address this Know/Do gap, BDO provides a list of 10 effective, proactive actions any Chief Financial Officer can undertake immediately and enhance his or her company’s cyber defence.
Top ten things Chief Financial Officers should do immediately about cyber security
Determine what are the organisation’s most valuable information/digital assets: Cyber-attacks and security breaches will continue to occur and will negatively impact the business. Today, the average cost of the impact of a cyber breach is $7.5 million according to the US Security Exchange Commission (SEC).
Determine how much cyber liability insurance coverage is necessary to financially protect the company’s assets.
Determine what their organisation’s risk of a cyber breach is: According to most cyber security surveys, over 60% of all data breaches originate from unauthorised access from one of the organisation’s current employees, former employees, or third-party suppliers. Has your organisation created an insider-threat program to mitigate the risk of a cyber breach from within the organisation?
Achieving information security compliance with one or more government regulatory standards for information security (i.e. ISO 27001, NIST 800-171, HIPAA, NYDFS, AICPA- SOC, etc.) is good, but not sufficient to ensure real cyber security. What actions should our organisation take to ensure real cyber security?
Conduct an independent email and network threat assessment. If one was recently conducted, then what were the results?
Obtain an independent assessment of the adequacy of our cyber liability insurance coverage. Cyber liability insurance premiums are significantly increasing in cost and often do not cover all of the damages caused by a cyber breach.
See that managed Monitoring, Detection, and Response (MDR) Managed Security Services (MSS) are combined, to achieve real information security and data resilience. Determine if the internal resources to perform MDR work or if these need to be outsourced. If so, then how much will it cost?
Determine if the organisation has comprehensive incident response (IR), disaster recovery (DR) and business continuity plans (BCP).
Undertake scenario thinking and ask: If we are attacked by ransomware, would we pay the ransom? If so, then how much should be budgeted? Will it be covered by cyber liability insurance coverage?
Organizations may not realise how valuable a cybersecurity strategy is until there’s a vulnerability. BDO wants to make sure your organisation never faces that situation. BDO professionals are available to provide guidance and specialised resources surrounding any cyber security issue. To contact BDO's Global Cyber Security Team, visit www.cybersecurity.bdo.global.