Is Your Company Underestimating What It Takes to Manage Cybersecurity Risks?
CFOs and risk management professionals should explore the latest stats and strategies for addressing cybersecurity within a governance, risk, and compliance program.
Defining Cybersecurity
Asking ten people for a definition could reveal ten different answers — the CISA describes cybersecurity as “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”
In today’s corporate landscape, one word that deeply influences the ever-evolving world of governance, risk, and compliance (GRC) is cybersecurity. Protecting business data—and its impact on business continuity—is paramount for driving better decision-making, efficient financial reporting and audit cycles, and ensuring staying power in today’s tenuous economy. But many CFOs and risk management professionals might underestimate what it takes to implement a cybersecurity program into their company’s GRC strategy. As a result, many businesses have an insufficient program in place to address real cybersecurity risks.
While companies of all types and sizes face cybersecurity risks, it can be common for business leaders to underestimate the cost and impact of a cybersecurity incident. Often, leaders also incorrectly assume their companies are not a likely target for cybersecurity threats due to their organization’s size or market position.
By the numbers: The business impacts of cybersecurity threats
Check Point Research reported a 28% increase in the average number of cyber-attacks per organization in Q1 2024 from the last quarter in 2023. This will only continue to increase in the future.
According to the Verizon 2024 Data Breach Investigations Report, 41% of all cyber incidents and 38% of cyber breaches impacted businesses with fewer than 1,000 employees. The cost associated with a cybersecurity incident for a small company widely varies based on a number of surveys (from $50,000 up to millions), but the one common trait of the surveys is costs are increasing significantly for small businesses who have experienced a cyber incident or breach.
Companies of all sizes should integrate cybersecurity into their GRC strategies for a holistic and enhanced approach to risk management. A proactive approach to integrating cybersecurity into the GRC program creates several benefits for a company, including:
- Measuring and tracking: The creation of key risk indicators (KRIs), which tie into key performance indicators (KPIs) or other business strategies and objectives
- Strong decision-making: Company leaders are more informed to make optimal business decisions and build stakeholder trust
- Adaptability to address threats: Improve the overall GRC program as it makes it more agile and adaptable to address threats and issues that may arise in real-time
- Improved collaboration between departments and stakeholders—both for cybersecurity and overall governance, risk, and compliance efforts.
Another driving factor for a company’s lack of cybersecurity is due to perceptions around cost. While there is a cost associated with implementing a cybersecurity program and the integration into GRC, there are cost-effective measures that companies can take to begin addressing cybersecurity risk.
By definition, a company’s cybersecurity program should guard against unauthorized or criminal use of information while ensuring the data remains confidential, sound, and available. Here are considerations for company leaders, CFOs, and risk management professionals for integrating cybersecurity into each area of governance, risk, and compliance:
1. Cybersecurity and Governance
When integrating cybersecurity into a company’s GRC program, leaders should start with cybersecurity governance. This process defines a company’s security policies, processes, and procedures to manage cybersecurity risk and align these with overall company objectives or goals.
As part of governance, companies should identify the appropriate oversight personnel. This can be a challenge based on limited resources and expertise; however, companies have viable options, including:
- relying on the Board, provided a member has cybersecurity knowledge, or
- using a committee comprised of individuals in different departments with GRC, risk management, and cybersecurity expertise.
Governance should also define how leaders communicate a company’s cybersecurity program and expectations of compliance to the employees. Furthermore, the governance function should also communicate the status of the overall GRC program—including cybersecurity—to key stakeholders, including executive management, risk committee, and the Board.
2. Cybersecurity and Risk
Cybersecurity risk management should be performed in the traditional risk assessment cycle of identifying, assessing/analyzing, treating, and monitoring/reporting risks. This should be done as part of the overall enterprise risk assessment.
As risks are identified, companies should determine if there is a cybersecurity element to each risk as well as the existence of any cybersecurity-specific standalone risks. For each identified cybersecurity risk, companies should go through the process noted above of assessing/analyzing the impact and significance of the risk to the company, the company’s stance on how to treat the risk (accept, mitigate, eliminate, or avoid), and the company’s plan to monitor and/or report the risk.
For example, revenue recognition is inherently a high financial risk area for any company. When accounting and finance professionals are analyzing a company’s risks related to revenue recognition, they should consider cybersecurity-related risks, including data integrity, data availability, access rights to change revenue-related data, and how revenue-related data is safeguarded. For each of these risks, a company should go through the risk management process noted above.
Another example is the risk of lack of awareness of cybersecurity. This could have a significant impact on a company if employees do not have some level of knowledge of cybersecurity or security awareness. Most companies choose to mitigate this risk by implementing a security awareness training program that is monitored periodically to ensure employees are completing training.
Risk management professionals should update their company’s risk register in real time as new threats and risks arise.
Companies should still perform an annual risk assessment, which should incorporate cybersecurity risks and develop or update the risk management plan accordingly.
3. Cybersecurity and Compliance
For corporate compliance, companies should first identify the required federal, state, and international regulations (such as CCPA or CPRA for California data privacy, PCI for companies that store/process credit card transactions, or GDPR for companies that do business in the European Union or employ citizens there) they must comply with—as well as any other legal obligations.
A company should also identify any other best practices or internal requirements it wishes to comply with relating to cybersecurity. For example, companies can benefit from implementing best practices from various cybersecurity frameworks, such as NIST CSF 2.0. These include practices such as identifying and implementing best practices in the five pillars of NIST CSF 2.0 (govern, identify, protect, detect, respond, and recover). NIST has published the CSF 2.0 Framework, which includes informative references, risk assessment integration with cybersecurity (which can help with cybersecurity risk management), implementation examples, and quick-start guides.
Once a company has identified all compliance efforts, the next step is to assign an owner who is responsible for guiding the company in performing the required actions and ensuring compliance with regulatory and internal requirements. Companies should maintain a list of all compliance matters and continuously monitor the list to ensure all compliance efforts are being met.
Overall, the goal of a company’s standard GRC framework is to holistically manage risks and ensure compliance with regulations—resulting in better efficiencies, reduced or eliminated costs, and meeting business objectives and goals. This cannot happen without incorporating cybersecurity into the overall GRC program. When incorporating cybersecurity into the overall approach, organizations must create the right foundation—one that is proactive, systematic, and modern. This sets up a GRC program that will adapt to the evolving world of business.