The CFO’s role in ensuring and insuring against cyber attacks
Last year, cyber attacks cost businesses an estimated 400 billion USD per year, according to British insurance company Lloyd’s. The estimate includes not only direct damage but also the disruption to business following the attack – because often, it is not the attack itself that causes the most damage, but its aftermath, which can drag on for months and define an entire financial quarter.
This has been experienced by variety of organisations worldwide, including TalkTalk, a British telecommunications provider of voice and data services. In October 2015 the company was targeted by hackers who accessed customers’ personal data. Although only 4 percent of its 4 million customers were affected, the hack cost the company a hefty 60 million GBP and the loss of 101,000 customers.
It was only in February 2016, four months later, that business reportedly began to return to normal. At the time, the company’s chief executive remarked that she found it “encouraging” to see recovery “after a challenging quarter that was dominated by the cyber-attack”.
As the executive responsible for ensuring an organisation’s financial security, CFOs are now required to remain equally aware of and involved in cyber security. The protection of sensitive data and business-critical information is the purview of the CIO or CISO. However, the decision to invest in cyber security measures lies firmly in the hands of the CFO, and it is more essential than ever that CFOs fully recognise the weight of that decision.
Cyber security is not only a matter of installing the necessary software, employing skilled security experts to manage that software and then hoping for the best. It requires an active awareness of the fact that complete cyber security is unachievable. Cyber security threats are the Hydras of the business world – cut one down and another two will grow in its place. And so preparing to battle hackers also means preparing to fail.
In practical terms, this means that cyber security insurance is just as important as cyber threat mitigation. Demand for cyber security insurance has climbed steadily over the past few years. In 2012, the insurance industry took in less than 1 billion USD in premiums on policies to protect companies from cyber attack related losses. This figure had doubled to 2 billion USD a year later, and risen to 2.5 billion by 2014.
However, this demand is largely concentrated in the US, with American companies purchasing 90 percent of cyber insurance. This means that the rest of the world is woefully behind the curve in terms of protection against the financial damage of a cyber attack.
This may be particularly true in the Middle East, where awareness of the importance of cyber security is at an all-time high following cyber attacks on established financial institutions like Qatar National Bank – but without any equivalent rise in demand for cyber security insurance.
CFOs in the Middle East are taking on the task of working with CIOs and CISOs to protect all aspects of cyber security – including the attendant financial losses. Presenting cyber security insurance as an essential safeguard against cyber attacks is perhaps one of the most critical but difficult conversations a CFO can have with a CEO and Board members today.
At the CFO Strategies Forum MENA, regional CFOs and financial decision makers will meet to network, exchange innovative strategies and learn more about the critical value of investing in cyber security.