The CFO’s role in cybersecurity

CFOs play a critical role in establishing an effective cybersecurity program

The CFO’s role in cybersecurityExecutive summary

Organizations must comply with myriad industry standards while managing the security of both their proprietary and customer data, as well as brace for the possibility of unknown breaches and leaks. A data breach can be exceedingly costly and can jeopardize a business of any size. To help senior-level financial executives improve their cybersecurity and protect their organizations, Grant Thornton LLP and Financial Executives Research Foundation (FERF) identify critical elements of the CFO’s role in protecting his/her organization from cyberattacks, as well as practical recommendations for establishing an effective cybersecurity program.

These findings are based on a survey of 98 members of Financial Executives International (FEI) and Grant Thornton clients, conducted between July and December 2014. The survey was followed by in-depth interviews of FEI members to get perspectives on a number of organizations’ experiences managing cyberthreats.

Key findings include:
  1. Respondents’ top cybersecurity concerns include protection of data — including customer data and intellectual property (IP) — from data breaches and compliance with data security laws.
  2. Either the CFO or the chief information officer (CIO) is usually responsible for the company’s cybersecurity program. However, interviews revealed that collaboration between different groups is more reasonable.
  3. Although the CFO is often responsible for cybersecurity, the organization’s IT department typically manages the day-to-day aspects of cybersecurity. General counsel are usually involved as well, advising senior management and board members on legal responsibilities.
  4. The CFO is often expected to assess cybersecurity risks, align cybersecurity strategy with business strategy and get buy-in from the board on necessary cybersecurity investments.
  5. The most common impediment to developing an enterprise-wide cybersecurity strategy is a lack of understanding of cyberrisks and potential impacts of a breach.


Significant data breaches — security incidents in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual — at flagship companies are becoming nearly an everyday occurrence. At the same time, the costs related to these breaches continue to skyrocket. The Ponemon Institute’s 2014 Cost of Data Breach Study: United States puts the average cost for each lost or stolen record at $201, and the total average 2014 cost paid by organizations at $5.9 million for each data breach, up from $5.4 million in 2013. The surging costs are attributable to the “loss of customers following the data breach due to the additional expense required to preserve the organization’s brand and reputation.1” In short, data breaches are costly, damaging to prized brands and reputations, and happening at a staggering pace.

The question is: What can companies — especially their CFOs — do about it? All data, including IP, is vulnerable to a data breach. And cybercriminals have become ever more sophisticated and continue to hone their methods at getting the data they want, whether it is trade secrets, medical records, financial data, Social Security numbers or more. Today’s organizations must comply with numerous industry standards while managing the security of their data, as well as brace for the possibility of unknown breaches and leaks. While cybersecurity traditionally has been handled by the CIO and the IT function, the escalating risks have driven cybersecurity up the corporate ladder to the desk of the CFO.

Data breaches are costly, damaging to prized brands and reputations, and happening at a staggering pace.Financial Executives Research Foundation (FERF), in collaboration with Grant Thornton LLP, surveyed CFOs to identify their critical role in cybersecurity, and offer insights and recommendations for establishing an effective cybersecurity program.

Top cybersecurity concerns: What is on the minds of CFOs and CIOs?

A majority of survey respondents indicate that their organizations’ top cybersecurity and data privacy concerns are the protection of customer and client data (64%), followed closely by the potential for undetected breaches (63%). (See Figure 1.)

Skip Westfall, managing director of Forensic and Valuation Services with Grant Thornton LLP and co-leader of its Cybersecurity practice explains: “Protecting customer data and safeguarding against data breaches are important and necessary concerns for CFOs. However, many CFOs are insufficiently concerned and possibly even unaware of items they should be protecting, such as data that leaves the four walls of their organization when it is shared with a third party or vendor.”

Top cybersecurity concernsConcerns vary by business type
While protecting client and customer data are top of mind for most CFOs and CIOs, cybersecurity concerns vary considerably depending on the particular business. For instance, a technology CFO tends to focus on cyberthreats to IP; a marketing firm that handles third-party data worries about a breach of clients’ records; and a food company CFO sweats issues such as mobile device security and phishing schemes.

Phil Roush, vice president of finance and head of internal audit at SanDisk Corp., a multinational corporation that designs, develops and manufactures flash memory storage solutions and software, says that his three primary cybersecurity concerns are protecting IP, employee data and customer data. “Our business model is based on flash memory technology, so the programs, software, design and schematics — all of that IP is critical to our company and drives our brand value,” says Roush, adding that SanDisk’s customer and employee data is also critical.

Paul Karras, senior vice president and CIO at Wilton Brands LLC, the leading supplier in the U.S. crafts industry, shares a litany of concerns, including phishing, social engineering malware and mobile devices: “Phishing and email attacks are extremely worrisome.” An additional concern is social engineering, when rogue individuals manipulate people into divulging confidential data. “There are a lot of folks out there who pretend to be somebody that they're not, and try to win your trust so that you will disclose information to them, or release funds to them.” Malware and bots are also on Karras’ mind. “Any time you receive an email from somebody you don't know, and there's an offer for you to click through, you could be opening a malware site that can unleash corruption within your organization. Unless people within your organization are informed, it's very difficult to stop.”

Karras adds, “We have company-issued devices, as well as people who bring their own device to work. Unless there is an effective mobile device management strategy in place, and the tooling behind it, it's very difficult to manage that.” Finally, Wilton Brands is concerned about hacked accounts. “If you don't have a strong password level control within an environment,” explains Karras, “it's easy for somebody to have a robot on the other end that can hit your login ID, and within a second have 15,000 attempts to enter into your company.”

Companies that handle large amounts of data on behalf of their clients are for obvious reasons are worried about data breaches that could affect clients. Gary Long, executive vice president and CFO at Ivie & Associates, a full-service global marketing company, worries about this issue. “We're a marketing agency and we work with a lot of retailers. Our concern is a data breach would impact those retailers in a negative way. We've all seen what's happened with some prominent retailers recently,” notes Long.

Doug Miller, CFO at law firm Sutter O’Connell Company, explains, “Because we deal with injuries, we have medical records, and we don't want those to be exposed to the outside. Medical information theft is much more lucrative than straight-up identity theft and is, therefore, alluring to cybercriminals.” He continues, “With a name, Social Security number and insurance identification number, a criminal can set up a fake doctor's office and start pumping in claims.”

Threats keep evolving, so CFOs can’t rest easy, says Miller. “Before it was Social Security numbers, bank account numbers and credit card information; now it's medical information. What's the next piece of information that somebody's going to want?”

Compliance is another major concern, particularly as laws governing information security continue to change. For universities, a key risk is privacy related to student records.

Judy Roy, executive vice president of finance and administration at Indiana Tech, a private university with 8,000 students, says that compliance with data security laws and student data privacy are her top concerns. “We've got a whole realm of personal data on our students that we need to keep secure — not only Social Security numbers, but names and addresses, as well as grades and payment information.”

2014 Cost of Data Breach Study: United States, Ponemon Institute, May 2014.

Page 2 >>
Download the PDF.