No Audio There is no audio in this video.

TRANSFORM

2024 Global Finance Trends Survey Report

CFOs Address a Data Security and Privacy Triple Threat

A trifecta of cybersecurity risk factors has lifted data security and privacy to the top of the chief financial officer (CFO) priority list. According to Protiviti’s annual Global Finance Trends Survey, 61% of finance leaders and professionals rate this area as a high priority for the coming year due to concerns that include cybersecurity disclosure requirements, rising threats of cyber warfare and extortion, and the soaring value of data assets. Publicly held companies rate the importance of data security and privacy higher (65%) compared to private organisations (57%).

The gravity CFOs ascribe to cybersecurity reflects issues such as the rise of nation-backed hacking groups, collateral impacts from cyber warfare in the Middle East conflicts and the Russia-Ukraine war, and the fact that digital assaults from bad actors are growing more powerful, more refined, and more costly to organisations that are on the receiving end of the attacks. In addition, organisations’ insatiable thirst for more data – including financial, nonfinancial, structured and unstructured data – heightens the need to protect data assets, the value of which continues to climb. Finally, as more internal and external data supports regulatory disclosures and reporting requirements, that information must be subjected to the sophisticated controls, accuracy assurance and compliance savvy that reside within finance groups.

Given their roles as stewards of the organisation’s financial data (and much of its performance data), new and emerging security and privacy regulatory and disclosure mandates loom large for CFOs. Publicly listed companies have begun filing 10-K annual reports and 8-K cybersecurity incident reports in accordance with the amended Cybersecurity Disclosure Rule the U.S. Securities and Exchange Commission adopted last summer. In the European Union, the Network and Information Security Directive 2 expands the scope of the original directive to enhance cybersecurity across the entire European region by unifying national laws with common minimum requirements.

Complying with these rules requires a combination of expertise in regulatory compliance and reporting, risk management, cybersecurity, incident response, and data governance. CFOs are working closely with their information security counterparts while performing related activities to strengthen data security and privacy, including the following:

  • Pursuing multilateral education: In addition to educating CIOs and information security leaders on materiality evaluations, board reporting on financial statement disclosures, and the organisational (and personal) risks of cybersecurity disclosure errors and misrepresentations, CFOs are learning about incident recovery costs, remediation efforts and the nature of compromised data from their CISO counterparts. And both CFOs and CIOs are educating boards of directors.
  • Improving board reporting: CFOs need to ensure their boards have timely access to information concerning cybersecurity risks and capabilities by helping to define roles, responsibilities and collaborations among the disclosure committee, individual executives, financial and public reporting preparers, and other contributors to the disclosure process.
  • Establishing and fortifying accountability: While backup signatures provide a “chain of certifications,” they may not provide assurance that reliable information is being furnished to management for timely disclosure. Instead, leading CFOs create a “chain of accountability” by linking required disclosures to internal reporting processes that deliver the necessary information in a timely manner to those making disclosure decisions.

Other work related to new disclosure and reporting requirements also reflects the CFO’s increasingly hands-on cybersecurity role. Finance leaders are developing new materiality frameworks for security and privacy breaches and monitoring how cybersecurity disclosures from other publicly listed companies are evolving (and, when called for, recalibrating their own disclosures to reflect leading practices).

Additionally, CFOs continue to collaborate with their board and C-suite colleagues to find new ways to strengthen the organisation’s overall cybersecurity processes as regulators, bad actors and investors intensify their scrutiny of this crucial capability.

Loading...