Articles
Cybersecurity: Why Treasury Needs to Know Its Role
- By Roland Cloutier
- Published: 6/17/2015
You arrive at work and what looks to be a normal business day quickly turns into chaos. The traffic to your website is at an all-time high as customers and prospects review your services and products. Suddenly, the web server shuts down and your potential customers are left in the dark. You learn that your business is experiencing the start of a distributed denial-of-service (DDoS) attack, a common cyberattack targeting companies around the globe. Soon, a hacker breaches your company’s network and accesses sensitive information.
DDoS attacks and data breaches are increasingly common in today’s business landscape with serious operational and financial consequences. As a result, cybersecurity is no longer just IT’s problem. Protecting the organization against cyberattacks is now the entire management team’s responsibility—including treasury and finance.
Big problem, bigger costs
According to the Ponemon Institute, the cost of a data breach increased 23 percent in 2014 to $3.8 million. What this figure doesn’t necessarily show are the potential longer-term financial effects of a data breach on a business, such as a loss in customer traffic to your corporate website or the myriad fines and other fees your company may face from regulators and government agencies.
While financial executives may hope such attacks never occur or that outcomes of an attack will not impact their organization’s bottom line, companies must do more to prepare. Financial professionals’ core objective is to ensure the long-term financial health of their organizations. AFP’s 2015 Risk Survey found that 60 percent of companies do not have a response plan to a cyberbreach. Rather than view these attacks through a reactive lens, treasury and finance can play a proactive role in mitigating cyberthreats.
How to contribute
So what is treasury’s role in supporting cybersecurity efforts? It centers on collaborating with the entire management team on a multidisciplinary approach that protects financial data from unauthorized access and preempts fraudulent activity.
Aside from intellectual property, the most valuable data companies possess is monetary. Research shows that, in 2014, hackers frequently sought out those data types, affecting everyone from Home Depot to the IRS to JPMorgan Chase. No matter where financial data sits—in a data center 2,000 miles from headquarters or on a local server inside a satellite office—it needs the same level of protection.
This data is critical to a company’s operations, so treasury must work with the chief security officer (CSO), chief information officer (CIO), compliance executive and other key leaders to conduct a thorough data risk assessment across all markets in which they operate. Without this assessment, companies cannot create truly effective information security safeguard programs or make data-driven decisions regarding investments in new tools and platforms, or how to respond to actual attacks.
All core business functions with a stake in ensuring the viability of an organization should help inform the cyberrisk management strategy. This stakeholder working group should include treasury, finance, risk management, IT, legal, security and anyone else who can apply their domain expertise to fully understand all the potential liabilities and gaps a company must address within its cyberrisk management strategy.
Collaboration in action
Here’s an example of how this working group can collaborate. Treasury knows where and how their company stores and shares its financial data, but might not know if the company stores some of that data with customer data. IT could answer that question; security can develop a protection plan for the application, servers, and infrastructure that supports the finance process; and legal could outline the potential repercussions of unauthorized access to those combined data sets.
Through multidisciplinary collaboration, treasury and finance can apply this same business operations protection methodology to other critical areas of their operations and answers will emerge to a range of other key questions such as, “What potential fines or financial liabilities would the company face if it doesn’t implement proper defense mechanisms to protect financial data?”
Sharing such insights from each core business function is critical to this working group’s ability to accurately assess existing prevention, defense, response, and risk mitigation practices to sensitive company information, processes, and technologies. It also empowers the working group to create and implement an effective program to safeguard data, financial assets, and the workplace.
As a result of the risk assessment, for example, this group may determine that different business units share financial or customer data through channels and tools vulnerable to unapproved third parties or transmit that data in a way that leaves customer data at risk. Treasury and other members of the management team can then proactively establish new, mutually agreed-upon policies and standards for how every business unit shares and stores data.
Making the right security investments
In addition to serving as a key architect for the company’s cybersecurity strategy, treasury executives also should become informed security investors. Based on the multidisciplinary knowledge they glean by collaborating on their company’s cybersecurity strategy and safeguard program, treasurers can earmark the appropriate investments in operational infrastructure, technologies, and third-party resources to support both current and future security needs.
Treasurers should create a three-year roadmap aligned with their company’s cybersecurity program and overall corporate strategy and act as the financial partner for top security executives within the company, creating cost management and security investment models. Given its new knowledge base, treasury can press for answers beyond costs, such as how often a prospective technology provider will update versions of its software to stay ahead of emerging threats.
While financial professionals may specialize in one functional area, they also have an active role to play in creating and supporting their company’s cyberrisk management efforts. They should work closely with the C-suite to build the multidisciplinary working group, conduct a comprehensive risk assessment and implement customized programs to safeguard their company’s critical data. With more than half of Fortune 1,000 firms experiencing a data breach each year, a multidisciplinary approach to cybersecurity, where all core functions participate—from IT to legal to treasury—is essential to proactively manage today’s evolving cyberthreat landscape.
Roland Cloutier is Chief Security Officer for ADP.
DDoS attacks and data breaches are increasingly common in today’s business landscape with serious operational and financial consequences. As a result, cybersecurity is no longer just IT’s problem. Protecting the organization against cyberattacks is now the entire management team’s responsibility—including treasury and finance.
Big problem, bigger costs
According to the Ponemon Institute, the cost of a data breach increased 23 percent in 2014 to $3.8 million. What this figure doesn’t necessarily show are the potential longer-term financial effects of a data breach on a business, such as a loss in customer traffic to your corporate website or the myriad fines and other fees your company may face from regulators and government agencies.
While financial executives may hope such attacks never occur or that outcomes of an attack will not impact their organization’s bottom line, companies must do more to prepare. Financial professionals’ core objective is to ensure the long-term financial health of their organizations. AFP’s 2015 Risk Survey found that 60 percent of companies do not have a response plan to a cyberbreach. Rather than view these attacks through a reactive lens, treasury and finance can play a proactive role in mitigating cyberthreats.
How to contribute
So what is treasury’s role in supporting cybersecurity efforts? It centers on collaborating with the entire management team on a multidisciplinary approach that protects financial data from unauthorized access and preempts fraudulent activity.
Aside from intellectual property, the most valuable data companies possess is monetary. Research shows that, in 2014, hackers frequently sought out those data types, affecting everyone from Home Depot to the IRS to JPMorgan Chase. No matter where financial data sits—in a data center 2,000 miles from headquarters or on a local server inside a satellite office—it needs the same level of protection.
This data is critical to a company’s operations, so treasury must work with the chief security officer (CSO), chief information officer (CIO), compliance executive and other key leaders to conduct a thorough data risk assessment across all markets in which they operate. Without this assessment, companies cannot create truly effective information security safeguard programs or make data-driven decisions regarding investments in new tools and platforms, or how to respond to actual attacks.
All core business functions with a stake in ensuring the viability of an organization should help inform the cyberrisk management strategy. This stakeholder working group should include treasury, finance, risk management, IT, legal, security and anyone else who can apply their domain expertise to fully understand all the potential liabilities and gaps a company must address within its cyberrisk management strategy.
Collaboration in action
Here’s an example of how this working group can collaborate. Treasury knows where and how their company stores and shares its financial data, but might not know if the company stores some of that data with customer data. IT could answer that question; security can develop a protection plan for the application, servers, and infrastructure that supports the finance process; and legal could outline the potential repercussions of unauthorized access to those combined data sets.
Through multidisciplinary collaboration, treasury and finance can apply this same business operations protection methodology to other critical areas of their operations and answers will emerge to a range of other key questions such as, “What potential fines or financial liabilities would the company face if it doesn’t implement proper defense mechanisms to protect financial data?”
Sharing such insights from each core business function is critical to this working group’s ability to accurately assess existing prevention, defense, response, and risk mitigation practices to sensitive company information, processes, and technologies. It also empowers the working group to create and implement an effective program to safeguard data, financial assets, and the workplace.
As a result of the risk assessment, for example, this group may determine that different business units share financial or customer data through channels and tools vulnerable to unapproved third parties or transmit that data in a way that leaves customer data at risk. Treasury and other members of the management team can then proactively establish new, mutually agreed-upon policies and standards for how every business unit shares and stores data.
Making the right security investments
In addition to serving as a key architect for the company’s cybersecurity strategy, treasury executives also should become informed security investors. Based on the multidisciplinary knowledge they glean by collaborating on their company’s cybersecurity strategy and safeguard program, treasurers can earmark the appropriate investments in operational infrastructure, technologies, and third-party resources to support both current and future security needs.
Treasurers should create a three-year roadmap aligned with their company’s cybersecurity program and overall corporate strategy and act as the financial partner for top security executives within the company, creating cost management and security investment models. Given its new knowledge base, treasury can press for answers beyond costs, such as how often a prospective technology provider will update versions of its software to stay ahead of emerging threats.
While financial professionals may specialize in one functional area, they also have an active role to play in creating and supporting their company’s cyberrisk management efforts. They should work closely with the C-suite to build the multidisciplinary working group, conduct a comprehensive risk assessment and implement customized programs to safeguard their company’s critical data. With more than half of Fortune 1,000 firms experiencing a data breach each year, a multidisciplinary approach to cybersecurity, where all core functions participate—from IT to legal to treasury—is essential to proactively manage today’s evolving cyberthreat landscape.
Roland Cloutier is Chief Security Officer for ADP.
Copyright © 2024 Association for Financial Professionals, Inc.
All rights reserved.