[BreachExchange] Public Enemy Number One

[Destry Winant]

https://www.gfmag.com/magazine/december-2019/public-enemy-number-one

Data security has emerged as the No. 1 risk concern for many companies
today, and finance executives across the board are worried.

“Cyber-risk is the thing that keeps me up at night,” says Mark
Mishler, veteran CFO, founder of CFO Resource Management and a
professor of finance and accounting at Seton Hall and Rutgers
universities. “When you think about public services being hijacked
with ransomware, companies have the same problem,” he adds. “If that
is allowed to continue, it will have a huge negative impact on
commerce and the economy as a whole.”

These concerns are also having a significant impact on the role of the
CFO, the board and auditors. “Cybersecurity represents one of the most
significant economic, operational and national security threats of our
time,” Kathleen Hamm, a then-member of the US Public Company
Accounting Oversight Board (PCAOB), said in a speech to the 18th
Annual Financial Reporting Conference in May. “The government, private
institutions and individuals each share responsibility for protecting
our individual and collective assets and each other from cyber
threats. Public companies and their officers and directors have
important roles as well. So do auditors.”

This may be remembered as the year data insecurity broke big. Newly
published research by Risk Based Security, a cyberprotection
consulting and research firm, concludes that more than 3,800 publicly
disclosed breaches exposed 4.1 billion personal records in the first
half of 2019, up 54% over the same period last year.

In one of the largest bank hacks to date, over 100 million Capital One
accounts and credit card applications were accessed, revealing up to
140,000 Social Security numbers in the US and 1 million Canadian
Social Insurance numbers in Canada. First American Financial, a
Fortune 500 company providing title insurance and settlement services
to the real estate and mortgage industries, reportedly exposed
customer financial records as far back as 2003. In June, the American
Medical Collection Agency (AMCA), a healthcare-related debt collector,
reported that more than 19 million medical records were exposed.
Consumer lawsuits were filed within days of the initial breach
disclosure and AMCA was forced into bankruptcy within weeks.

Zhang, Tekni-Plex: The CFO needs to make the CEO believe a cyber-risk
program is necessary and then carry it out.

Companies surviving the fallout of data hacks have faced significant
penalties. The 2017 Equifax breach that exposed sensitive information
of many millions of cardholders was settled this year with a fine of
at least $575 million that may reach up to $700 million. Yahoo,
consequent to the discovery of data breaches affecting roughly 3
billion account holders worldwide between 2013 and 2016, has agreed to
pay $117.5 million in class-action suits; and Yahoo’s current owner,
Verizon, plans to spend $306 million between 2019 and 2022 to secure
customer data.

International Efforts

Securities regulators, standard setters and accounting bodies around
the world are redoubling their efforts to make sure companies in all
sectors put cyber-risk mitigation and reporting high on their agendas.
The EU, in particular, is moving fast, requiring that internal
auditors and board members stay on top of a vast amount of regulation
as well as anticipate how future regulatory developments will roll
out. According to a 2018 report by Deloitte, bank executives with
responsibilities for cyber-risk will be tasked with a number of “key
actions” going forward. More specifically, these include early contact
with supervisors to discuss emerging concerns, measuring changes in
their exposure to cyber threats, understanding the evolving regulatory
and risk environment and establishing a clear line of accountability
for data security.

US companies also got a wake-up call in 2019 from the Securities and
Exchange Commission (SEC) with the release of data showing that supply
chain management is the weakest link in data security, as hackers have
accessed vendors’ email accounts and inserted fraudulent requests for
payments—and payment processing details—into electronic
communications. Fraudsters have also corresponded with personnel
responsible for procurement at US banks, requesting changes to
vendors’ banking information and attaching doctored invoices. The SEC
has called for increased scrutiny of manual processes and improved
employee understanding of data security.

Global bodies responsible for training and certification of financial
professionals are moving to ensure that the international
financial-management community is not only aware of the risks, but
prepared to take action. In a report published in May, the Association
of Chartered Certified Accountants (ACCA), a global certification
body, cautioned the financial-management community that much more work
needs to be done on the cyber-risk front and that leaders at the
corporate level must be accountable for their organization’s
cyber-risk exposures. The group more specifically concludes that in
the event of an attack, the CFO is accountable to shareholders and
will be expected to provide accurate assessments of the potential
damage as well as lead internal and external response.

The Way Forward

The ongoing war against cybercrime will have profound effects on the
role of senior finance executives, corporate boards and their
auditors, says Richard Swinyard, managing partner and CFO at Computer
Integrated Services, an access management and security services
company. The heavy focus on data security and compliance in the audit
world will drive CFO behavior in particular, he says: “If companies
can show they’re ahead of the curve, it’s a source of competitive
advantage.”

This means the CFO must understand the changing cyber-risk environment
as well as the evolving regulatory scene, he adds; the biggest
challenge will be building knowledge and working out what’s acceptable
financially.

For the senior finance executive, knowledge is the first line of
defense, says Carolyn Zhang, division CFO at Tekni-Plex, a globally
integrated packaging manufacturer. “As guardians of the company’s
assets,” she says, “we need [to gain] a good understanding of the
risks, then implement a strategic cyber-risk protection and mitigation
agenda, make the CEO believe the program is necessary and then carry
it out.”

While email can leave an open door to hackers, the security of
advanced cloud-based technologies and data storage is also in
question. When it comes to data security, says Zhang, “We’re really
questioning the concept of what is the cloud. Our concern is, who can
see into the cloud, and how equipped is it to protect our data?” The
CFO’s job, she says, is to find answers to these questions before
making an investment in cloud-based technologies.

Auditors, too, are being encouraged to step up their game when it
comes to evaluating companies’ ability to detect and prevent
cyberfraud. Going forward, the PCAOB’s Hamm says auditors will be
expected to take a deeper dive into the cyber-risk exposure and the
controls companies are putting in place to minimize attacks.

Her recommendations translate into more-rigorous corporate governance
around cyber-risk. Auditors will be asking companies to document the
methods they use to prevent and detect cyber incidents that could have
a material effect on their financial statements. Auditors will also
look at the processes companies use to identify and block unauthorized
transactions and to address a material cyber incident once it’s
detected, how they ensure the board is informed, when breaches are
disclosed to investors, whether or not systems have been evaluated for
vulnerability to cyberattacks, and what the expected impact would be
on the company’s operations and financial outcomes.

As to what corporate boards need to do now, the ACCA strongly
recommends they ensure that the responsibility and accountability for
cybersecurity is properly placed; cyber-risk assessments are made
regularly, and risk is quantified; appropriate resources are allocated
to risk prevention, including talent; and breach-recovery programs are
in place. Perhaps most importantly, the ACCA emphasizes that finance
executives must “appreciate that it is not a question of ‘if’ you are
attacked, but of ‘when’ and ‘how.’”