Finance Teams Play Growing Role in Cyber-Risk Mitigation

Finance teams are being asked to take on a larger role in defending their companies from emerging cyber-risks, according to a recent survey.

According to a survey of 389 financial executives conducted by the American Institute of CPAs (AICPA), 73 percent said they are more involved, while another six percent said cyber-risk mitigation has become the primary responsibility of the finance function. Breaking those numbers down, 35 percent said they are “slightly” more involved, while 22 percent said “moderately” more involved, and 16 percent said “significantly” more involved. Twenty-one percent said they are not involved at all.

“With today’s businesses facing a heightened risk of cyber-attacks, they are in need of strong risk identification and mitigation strategies driven by collaboration between business units across the company,” said Ash Noah, vice president of CGMA external relations for the AICPA. “The finance function has a unique view into the complexities of the business as well as an in-depth understanding of the industry, markets and risk climate, yielding important insights for a company’s strategic direction.”

“As the finance function continues to evolve to become more business-centric, it’s critical for finance executives from the CFO down to play a driving role in preparing for and addressing potential cyber-risks for the long-term growth of the company,” Noah added.

With data breaches on the rise, it should come as little surprise that the fear of a breach occurring has also increased. Almost all respondents (96 percent) said they have at least some level of concern about the threat of a breach, including distributed denial of service (DDoS) attacks, phishing scams, and other cyber-attacks.

When asked if their company suffered a cyber-attack in the past two years, 55 percent said “no,” while 30 percent said “yes,” representing a 22 percent increase from 2014. Over 20 percent of respondents said cyber threats are worse than what has been reported in the media.

Mitigation Measures

Companies are responding to the increased threat of a data breach in a variety of ways. The three most common measures include increased employee awareness and accountability regarding prevention of phishing (78 percent); increasing spending on cyber-security (56 percent); and strengthening policies regarding third-party vendors to address potential vulnerabilities (31 percent).

Other measures companies are taking include securing or increasing liability insurance in the event of business disruptions due to data breaches or a cyber-attack (23 percent) and adding positions to address cyber risks. Another 12 percent said they’ve made no changes.  

As the cyber-risk climate evolves, all companies must employ an effective risk oversight and mitigation program. The AICPA recommends that companies assess the efficacy of the organization’s current approach to cyber-risk oversight in the light of emerging threats, and consider the extent to which critical risks may occur and not be detected by risk managers and implement greater cross-collaboration throughout the organization.

The AICPA further recommends that companies assess the extent to which cyber-risk management is an important input to the strategic planning process and adjust risk management processes as needed, and implement a structured set of cyber risk identification, assessment and monitoring processes that requires focus and accountability at the board and senior management levels.