Why Successful CFOs Work to Control Their Data
September 28, 2020 | 8 minutes read
A CFO’S Responsibility Towards Data
One of the hot topics debated at meetings across board rooms today is cybersecurity. Risk management has become a serious financial threat to the bottom line for revenue and stockholders. In all other aspects of business matters, it lands on the desk of the Chief Financial Officer when it comes to financial risk. The average cost of a data breach is approximately 4 million dollars. For companies that violate HIPAA regulations, the fines and penalties can be much higher. There are not only the penalty costs but millions more to cover corrective actions. Additional charges come in as companies spend even more on attorneys to defend against class-action lawsuits. Don’t forget to compensate the victims and cover identity-theft insurance for all those who may or may not be impacted by the breach.
Data is now the responsibility of a CFO and should be his primary concern. Beyond the company’s loss in the types mentioned above of penalties, the loss of trust from a consumer base is often non-repairable. A serious data breach can bring down even some of the world’s largest corporations if not handled correctly. Now that the world’s business structure is data-based and there is just as large of an active criminal base seeking to gain access, it isn’t a matter of if; it is a matter of when and how often. A CFO must plan for breaches and prepare for an immediate reaction to them. Their job is to design and have a game plan in place that all employees are well trained on so that the response to any breach, large or small, is done quickly and effectively.
Cybersecurity A Critical Challenge for CFOs
Many CFOs face a variety of problem-solving issues on the job. Understanding cybersecurity may or may not be in their educational backgrounds. Finding and creating solutions to meet some of the most significant problems and threats facing corporations and their data security can be handled with appropriate staffing. This lack of understanding can be one of the top critical challenges for a CFO.
It is a global issue in all industries that finding qualified professionals to handle sophisticated cybersecurity and data privacy makes the most significant challenge. There are plenty of cybersecurity professionals that are starting or have the necessary general skills. Those ‘specialized’ individuals who can go head to head to protect companies from sophisticated hackers are rare. These top professionals also know how in-demand they are, and most small businesses can’t afford their salaries. CFOs find it challenging to find the elite talent that, in many cases, only the most wealthy and prosperous corporations can afford.
Why a CFO’s Focus Should be Cybersecurity and not IT
It has been traditionally the job of the IT department to handle data security. So, why change? There is no need for a lot of change, but perhaps some reorganization. IT should inherently answer to the CFO. The CFO holds access to the company’s funds and can be the only qualified or has the authority to sign off on risks, including how data is handled. It poses a significant risk to the company’s finances.
Data protection should be the number one priority of the CFO. The CFO position entitles them to create in-house policies that can be applied across the entire company structure to handle all data types. The number of privacy legislations that corporations must adhere to is vast and reach global proportions. Even U.S. companies must conform to Europe’s General Data Protection Regulation (GDPR) if they want to continue to do business on a worldwide scale. Penalties for a breach could be up to $20 Million of 4% Global Turnover – whichever is higher. Anytime a company is talking funds of this size, it lands on the CFO’s desk. The CFO can mandate how every department within the company handles and stores data according to policies that will help protect from loss due to breach or risk of penalties due to violations.
Cybersecurity Preparedness Tops Corporate Worries
Top worries for many corporations are how they are handling cybersecurity preparedness. Many regulations, including GDPR, require evidence of data governance procedures or detailed steps that the company had in policies taken to protect the data’s integrity. Not having good data policies and procedures has put many companies at risk of facing massive fines for poor strategic decision-making and critical resources’ misallocation. Poor data management comes out publicly and can draw serious scrutiny on a corporation’s trustworthiness, both from regulators and the public alike.
Current numbers show that most executives are concerned that they would lose a competitive advantage if they could not effectively utilize their customer data. Half of the corporate executives use data to benefit the company by decreasing corporate expenses and innovating and creating new avenues for income. The issue begins to become critical when noting these numbers and beliefs, realizing that less than half of all corporations have put together a standardized data governance policy to lower and handle their data risks. What are some necessary steps that could help improve the risk of data?
- Create and Review Data Minimization Policies – Create controls and policies for the collection and retention of data. Create training programs for all employees that handle personally identifiable information or PII. Take a yearly review or privacy assessment with a privacy specialist that can walk the CFO and top IT professionals through every step of the data and define better ways to handle risk. Ensure specific policies are followed for data deletion.
- Insist on Security Controls Around Data Assets – As CFO, create a semi-annual review with your IT professionals to review security controls to access company data assets. Review and define policies for management to access. Determine visibility problems and control over which data is stored and retained.
- Encourage Employee Participation in Work Groups – Make stay ahead of current government regulations by encouraging employee participation in privacy laws and cybersecurity workgroups and committees. Allow input from employees on information discovered that could benefit the security of company data or changes to better fit new regulations.
- Create and Review Data Migration Policies – Create and review policies regularly with both business, data handlers, and IT to determine data movement. Create a smooth transition from the input to the transaction, storage, and database, ending in a determined deletion date. Ensure that access is limited, data transfers are smooth, and that backup is secure.
- How Are Back-ups Protected? – Take a walk-through with your Head of IT regularly to discuss the security of your back-ups. It may seem like a redundant exercise. Making this a regular meeting gives ample time to bring up any missed items, new items, or concerns as they are currently happening. Addressing all situations in a quick and timely fashion will help keep the company ahead of many IT and data protection problems.
Risk Management and Preparedness Strategies
As CFO, they understand that potential investors consider the company’s risk management policies as much as they have other items like taxes, environmental, intellectual property, or financial health records. A stock can take a severe nose-dive after a data breach. A CFO must present a detailed data management plan to protect the data and the company’s reputation in the event of a violation. In other words, what insurance plan do you have when the breach occurs?
Privacy and data security have impacted all parts of industries, and investors are becoming more aware of how these issues impact their portfolios. The CFO’s responsibilities are far more complicated than just understanding credit card information and personal data from customers. In today’s business models, the variety of systems used to collect data are endless. This can be automated financial systems, human resources, customer relationship management (CRM), websites, retail establishments, manufacturing, and even mobile apps. There are many issues involved with a data breach that could cost all parts of a corporation, including reputation, consumer confidence, and brand value-successful CFOs, to rule their data.
To take control and rule the data, leading CFOs are becoming the innovators of corporate security. They are the executive superhero of finance and technology by understanding that by assessing, quantifying, and optimizing cybersecurity, the company is gaining financial ground. There are four concrete ways that a CFO can apply their financial expertise to create risk management policies that will impress their stakeholders and give reassurance to future investors.
- Budget Spending – Assess the current budget that the IT department is spending on cybersecurity and compare it with other similar industry standards. If the bar for your industry is 12% of the IT budget goes toward security and your company is only spending 3%, then you may have to readjust. It may also indicate additional spending requirements to bring the company up to current standards.
- Return on Investments – Evaluate the areas where cybersecurity spending is needed, and determine the value received or your return on investment. Do you have the right combination of facilities? This could include data governance, access management, incident response, or cyber insurance. Many applications combine to create the best solid type of data security but are you using these efficiently?
- Monetization of Risks – When discussing risks with your investors and stakeholders, put a dollar value on it. If you choose to add a new policy and want to discuss the costs v. risks ratio, don’t say ‘if we invest in this security, there will be a 30% reduction in a breach.’ It is more helpful to you and your board if you explain it in money terms. “If we invest 30K in this new security feature, there is a 30% reduction in a breach. A breach could cost us upwards of million, but with this in place, even if we are hit, the cost of the breach itself could be as low as 0,000. We need to reduce risk in any way possible, as when the breach occurs, the impact is less.
- Third-Party Professionals – The CFO’s responsibility is to consider a third-party vendor’s data security and privacy policies before contracting with them. When making this critical selection and creating a contract, the third party must have the same protection level for the data you need and expect.