76.8 F
Los Angeles
Friday, Jun 14, 2024

CFO Awards 2018 Nominees: Three Things Every Middle Market CFO Needs to Do About Cyber Risk

You and I are playing a word association game and I say, “Target. Sony. Equifax.” If what comes to mind are the costly data breaches each company suffered, the millions of dollars lost and the loss of customers as a result of tarnished brand reputations, then we should talk – particularly if you are the CFO of a middle market business where the vast majority of these types of attacks occur.

Cyber liability is a tremendous issue for all types of organizations today: small, medium and large, public or private. According to cybersecurity firm Centrify, “Only 39 Percent” of IT executives “say their organizations have a high ability to prevent a data breach.” No wonder 31% of organizations have experienced cyber attacks on operational technology infrastructure.

It would be nice to think that your CIO is on top of this threat, but the fact is: 42% of finance chiefs are the owner or co-owner of cybersecurity at their companies, according to a recent CFO report. And Harvard Business Review writes: “Given the increasingly new relationship between cyber risk and financial risk, the CFO should ultimately be accountable for cyber risk.”

Now, I know your to do list is already a million miles long, but there are three straightforward steps you can take today to protect your organization and become a cyber risk hero.

But first let’s get acquainted with what your top concerns should be.


Let’s keep it simple. Insurance firm CRC and Investor’s Business Daily stipulate what CFOs’ top cyber concerns should be:

  1. Loss of customer data may be particularly costly as consumers, whose patience continues to wane in light of such breaches – increasingly seek legal redress.
  2. Business interruption due to a security event is not covered under a typical business interruption policy. It needs to be secured within a cyber risk policy.
  3. Hackers’ efforts are more of a full-scale attack on potential system exposure. They will pursue any and all vulnerabilities to obtain available information, determining post-breach if any value exists.
  4. Not all cyber incidents result in immediate financial loss; some may take months or years to harm a company’s competitiveness and earnings. Don’t be focused only on short term earnings. Now let’s tackle the first three steps a CFO should take to address these concerns.


CFOs should develop what legal consulting firm UnitedLex calls “an incident response plan with clearly defined roles and processes.” To begin, follow these three steps today:

  1. Meet with your C-suite colleagues. Brief them on the concerns above. Suggest a game plan. Do not rely on your IT team to protect your firm. “Senior management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risk,” writes InfoSecurity Magazine.
  2. Hire a threat modeling or managed security service provider (MSSP) to perform a risk analysis of your company’s cyber vulnerabilities. Get an idea of what’s at stake.
  3. Invest in a cyber liability policy through your insurance broker. Make sure they know about first and third party coverages and include a rider for business interruption due to a security event. If your current broker is not an expert in this area, find one who is.

These initial steps will set any CFO on the path to successful cyber protection. However, one thing you could do is bring on a consultative partner to help you with all three tasks at once, thereby simplifying the process and saving you money. For example, at SullivanCurtisMonroe we not only offer a complimentary cyber risk analysis to all of our clients, I also provide in-house cyber liability coverage expertise to make sure your policy is the broadest available.


Cyber liability is all too real. Security breaches cost organizations across the country millions of dollars a year, as well as incalculable devaluation to their reputations. But there are practical steps every CFO can take to protect their company, employees, partners and customers – as well as the all-important bottom line: leveraging the power of your C-suite, conducting a threat analysis and using risk transfer through insurance.

Patrick Hernandez is an expert on cyber liability and risk management with SullivanCurtisMonroe, a regional Southern California insurance brokerage for middle market firms. He can be reached at [email protected] or (626) 419-1161.

Return to Index

Featured Articles

Related Articles