Cyber and the CFO

Press/Media: Research


Contribution to the 2019 survey report by the ACCA.

Period1 Jul 2019

Media contributions


Media contributions

  • TitleCyber and the CFO
    Country/TerritoryUnited Kingdom
    DescriptionCyber risk is one of the most talked-about business risks. In our increasingly disrupted world
    it is at the forefront of our minds.
    There are frequent major news stories
    about the theft of personal data from
    large organisations. There is continued
    debate about the use of our data by
    social media organisations and how this
    should be regulated (and whether
    regulation itself can keep pace with the
    evolving technology). Many cyber-attacks
    go unreported but can be just as
    significant to the organisations and
    individuals affected by them.
    Yet how many of us really understand the
    nature of the risk and the full business
    implications of it? From the results of
    a survey conducted by ACCA and CA
    ANZ, it appears that the answer for
    most members is ‘few’. Yet it is a risk
    that has significant financial and
    reputational implications.
    One estimate of the cost of cyber-crime
    globally is that it will reach US$6 trillion by
    2021 (Cyber Ventures 2018). Regulators
    are increasingly taking a tougher stance
    on organisations that fail to address the
    risk adequately, whether through penalties
    imposed after data theft or through other
    compliance requirements. As finance
    professionals we need to be aware of
    these impacts (Clifford Chance, 2018).
    Organisations frequently comment that
    cyber security is one of the most
    significant threats that they face, yet the
    respondents to the survey of their
    members conducted by ACCA and CA
    ANZ showed that 54% of them were
    either not aware of whether their
    organisation had suffered an attack or
    thought that they had not been.
    Many see cyber security as somebody
    else’s problem, and one that does not
    have financial implications. This may in
    part be owing to a reliance on IT
    specialists to provide a level of technical
    and operational assurance. In a fastmoving
    and interconnected world this is
    no longer the case. The traditional
    boundary of the organisation represented
    by the firewall is being replaced by one
    where authenticating the user is more
    important. The weakest link may well be
    in the connected supply chain, yet our
    survey results suggest that many do not
    take an active role in addressing this risk.
    As organisations increasingly integrate
    supply chains, in a ‘24/7’ world our
    responses to actions and reputational
    damage are also a significant factor.
    This can affect share prices and
    company valuations. It is also an issue
    for mergers and acquisitions as well as
    for day-to-day trading.
    This report considers the level of
    understanding of these risks by the
    members of the two bodies and
    contrasts this with the level of risk that
    organisations face.
    One thing that can be said about the
    cyber threat is that it is evolving.
    Chapter 6 of the report provides an
    overview of the threats. Understanding
    these is an important step in ensuring
    that an organisation understands cyber
    risk and has an appropriate level of
    cyber governance.
    Being prepared for the inevitable attack
    is essential. But it is not only a question
    of mitigating the attack, it is also one
    of leading the way out of the aftermath.
    Successful organisations recognise the
    need to maintain contact with customers
    and suppliers in the hours, rather than
    the days, ahead.
    The finance community cannot stand
    by and leave the issue to other people.
    It is a significant business-wide risk. It
    should be treated as such and regularly
    appraised and acted upon. As individuals,
    we need to take personal steps to ensure
    that we are fully aware of the threat –
    organisations need to do more than
    isolated activities to address these issues,
    as outlined in this report. This starts with
    strong governance involving educating
    individuals who would otherwise be too
    passive in their reactions and would
    thereby expose the organisation to
    significant financial risk. It also includes
    having robust plans for managing, and
    recovering from, the inevitable.
    PersonsVladlena Benson


  • cybersecurity
  • risk management
  • CFO