You and I are playing a word association game and I say, “Target. Sony. Equifax.” If what comes to mind are the costly data breaches each company suffered, the millions of dollars lost and the loss of customers as a result of tarnished brand reputations, then we should talk – particularly if you are the CFO of a middle market business where the vast majority of these types of attacks occur.

Cyber liability is a tremendous issue for all types of organizations today: small, medium and large, public or private. According to cybersecurity firm Centrify, “Only 39 Percent” of IT executives “say their organizations have a high ability to prevent a data breach.” No wonder 31% of organizations have experienced cyber attacks on operational technology infrastructure.

It would be nice to think that your CIO is on top of this threat, but the fact is: 42% of finance chiefs are the owner or co-owner of cybersecurity at their companies, according to a recent CFO report. And Harvard Business Review writes: “Given the increasingly new relationship between cyber risk and financial risk, the CFO should ultimately be accountable for cyber risk.”

Now, I know your to do list is already a million miles long, but there are three straightforward steps you can take today to protect your organization and become a cyber risk hero.

But first let’s get acquainted with what your top concerns should be.


Let’s keep it simple. Insurance firm CRC and Investor’s Business Daily stipulate what CFOs’ top cyber concerns should be:

  1. Loss of customer data may be particularly costly as consumers, whose patience continues to wane in light of such breaches – increasingly seek legal redress.
  2. Business interruption due to a security event is not covered under a typical business interruption policy. It needs to be secured within a cyber risk policy.
  3. Hackers’ efforts are more of a full-scale attack on potential system exposure. They will pursue any and all vulnerabilities to obtain available information, determining post-breach if any value exists.
  4. Not all cyber incidents result in immediate financial loss; some may take months or years to harm a company’s competitiveness and earnings. Don’t be focused only on short term earnings. Now let’s tackle the first three steps a CFO should take to address these concerns.


CFOs should develop what legal consulting firm UnitedLex calls “an incident response plan with clearly defined roles and processes.” To begin, follow these three steps today:


For reprint and licensing requests for this article, CLICK HERE.