Managing cybersecurity Greater cross-functional involvement may be increasing CFOs’ understanding of cyber risk. Alternatively, closer collaboration may be part of how they are Seniority drives threat awareness addressing it. In our survey, 27% of CFOs overall say that cyber is a very high priority But our experience with organizations at different levels of cybersecurity for their organization. Within that group, there is a clear bias toward maturity indicates that a cross-functional approach with board-level support group-level CFOs and finance directors (see Chart 6): is critical. • 57% are group CFOs “Cybersecurity breaches used to be ‘somebody has hacked us or defaced • 24% are regional CFOs our website,’” says Siobhan MacDermott, Prinicpal, Cybersecurity at Ernst & Young LLP. “Today, it’s risk management in the broader sense. • 19% are divisional CFOs It needs to be the C-suite, along with the board, that is responsible This shows how this topic has become a major concern at the senior for cybersecurity.” enterprise level. However, it also raises concerns that, at the lower “We’re increasingly seeing boards getting involved in this topic.” levels of some multinationals, there are gaps in protection that could be exploited. Ruby Sharma, Principal, Center for Board Matters at Ernst & Young LLP, agrees. Chart 6: Profile of respondents who say that cybersecurity is a “Even the best-run companies will face a crisis. And in today’s technology-driven very high priority environment, that crisis will likely be a cyber-attack,” she says. “Whether the situation has a severe impact on a company often depends 19% on the board’s preparedness. Smart boards know that the best offense is a strong defense. An organization’s value and reputation can hinge on how well it responds to an unforeseen event.” The CFO and the board should request a report from the CIO that covers 57% the following: 24% Group CFOs or finance director • Identification. Which are the top three to five threats that are most relevant Regional CFOs or finance director to the organization? Divisional CFOs or finance director • Protection. Which actions have been taken to mitigate these threats? • Detection. What mechanisms are being used to detect incidents? What activity has been seen since the last report? 1 • Response and recovery. How did the company respond to each incident? 1. “Taking charge: How boards can activate, adapt and anticipate to get ahead of cybersecurity risk,” EY, 2015. Partnering for performance Part 3: the CFO and the CIO 12