ICAEW.com works better with JavaScript enabled.

Cyber month: CFOs should take the lead

Author: ICAEW Insights

Published: 17 Oct 2023

Cyber security is a major priority for most large organisations, but the best prepared have CFOs who take an active role in managing cyber risk.

Cyber security has been a hot topic for big business for at least the past five years. Major hacks at organisations such as Sony, Apple, Meta and Samsung, among others, have put the risks to major corporations in the headlines. It is very unusual to find a major corporation that has not invested heavily in cyber security measures. Employees are put through regular cyber security training, two-factor authentication and firewalls are commonplace and cyber risk as an issue sits with the board of directors in most cases.

But technology can only go so far. Phishing, malware and ransomware rank as the biggest cyber risks to business, according to research conducted by Deloitte. Although ‘human error’ appears a little further down the list, it is a factor in most phishing, malware and ransomware incidents. 

“You can't get all of your controls in place and make them work 100% of the time,” says Julia Seppä, a Strategic Client Programme Manager in Risk Advisory for Deloitte Finland. “If it’s a highly sophisticated actor that wants to get in, they will get in – no doubt. It’s all about how you manage the cyber incident, how quickly you detect that someone is in your network, and how quickly you can isolate the affected systems and devices.” 

Phishing, malware and ransomware go hand in hand, Seppä explains. The challenge in that case is that certain systems might not be working anymore. Certain elements of the operation might need to be shut down, and it’s imperative that things can be brought back to normal quickly. 

While complacency isn’t necessarily an issue in larger organisations, workload is, she says. When people are under a heavy workload, the importance of cyber might be put to one side and they may not be as vigilant. With the current prevalence and sophistication of attempted cyber attacks, it only takes one of many to get through for massive disruption to be caused.

ICAEW members are experts in finance, but as the world and business becomes more complicated, it’s important for accountants to have a wider understanding of what’s going on. They are generally clued up about the risks of cyber attacks, but even the best of us can fall foul of a phishing attack, says Seppä.

While it might not seem like a direct remit, the CFO and the finance function must play a significant role in managing cyber risk, she says. “If cyber risk is at the board and strategic level, then the CFO needs to understand how cyber risk is being managed. That means, in this case, how to prevent cyber attacks from happening. You have a limited budget, you have limited resources, and if a highly sophisticated actor wants to get access to your research and development, or just wants you to stop operating, they will get in. You need to know how you detect, respond, isolate and restore the system to minimise the risk.

“While it depends on the role and the responsibility, a lot of it comes down to the basics. Remember to pause and reflect if you’re sent a change of a supplier’s bank details or an unusual request for payment, especially if you’re responsible for approving payments.” 

The CFO has a major role when it comes to managing cyber risk. That means helping to update or define the cyber strategy, or approving the cyber budget. The CFO is responsible for regulatory compliance and there are certain regulations connected with cyber security, depending on the industry sector. “If you want to be on top of your game, you need to understand different cyber security regulations, particularly around banking or insurance.”

CFOs involved in mergers and acquisitions should also consider cyber security as part of due diligence. A high risk of hacking or being targeted by cyber attackers can affect the valuation of a company. CFOs are also looking after the control environment, working with audit and risk committees in the organisation. “This means operational controls and financial controls, but also cyber security controls,” says Seppä. “So you want to make sure that those are in place as well.”

A close relationship with the Chief Information Security Officer is critical in big organisations, she adds. “The tone from the top really matters. The best CFOs I have worked with get actively involved with major cyber incident exercises. As someone who manages risk, the CFO should take the lead and be an example to the rest of the organisation, so that people across the board are prepared to respond and recover should an incident take place. That’s a critical role for the C-suite to play.”

Latest cyber security articles

You've been hacked!

ICAEW marks the 20th anniversary of global Cyber Security Awareness month with a series of resources to help you know what to do when a cyber attack happens.

Cyber Security Awareness month 2023

Further resources

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Keep up-to-date with tech issues and developments, including artificial intelligence (AI), blockchain, big data, and cyber security.

Read more
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
Finance in a Digital World - support for ICAEW members and students on digital transformation and technology
Finance in a Digital World

ICAEW has worked with Deloitte to develop Finance in a Digital World, a suite of online learning modules to support ICAEW members and students, develop awareness and build understanding of digital technologies and their impact on finance.

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250