A trifecta of cybersecurity risk factors has elevated data security and privacy to the top of chief financial officers’ (CFO’s) priorities. According to the annual Protiviti Global Financial Trends Survey61% of financial leaders and professionals see this area as a high priority for the coming year due to concerns that include cybersecurity disclosure requirements, growing threats of cyberwarfare and extortion, and the increasing value of data assets. Public companies value the importance of data security and privacy higher (65%) compared to private organizations (57%).

The seriousness CFOs place on cybersecurity reflects issues such as the rise of nation-backed hacking groups, the collateral impacts of cyber warfare in the Middle East conflicts and the Russia-Ukraine war, and the fact that digital attacks by bad actors are becoming increasingly strong. more refined and more expensive for organizations on the receiving end of attacks. In addition, organizations’ insatiable thirst for more data – including financial, non-financial, structured and unstructured data – increases the need to protect data assets, the value of which continues to grow. Finally, like more internal and external data support regulatory disclosures and reporting requirements, this information must be subject to the sophisticated controls, accuracy assurance and compliance knowledge that resides within financial groups.

Given their roles as stewards of the organization’s financial data (and much of its performance data), new and emerging security and privacy regulatory and disclosure mandates are important to CFOs. pPublicly traded companies began filing 10,000 annual reports and 8,000 cybersecurity incident reports under the amended Cybersecurity Disclosure Rule adopted by the US Securities and Exchange Commission last summer. In the European Union, the Network and Information Security Directive 2 expands the scope of the original directive to improve cybersecurity across the European region by unifying national laws with common minimum requirements.

Complying with these rules requires a combination of expertise in regulatory compliance and reporting, risk management, cybersecurity, incident response and data governance. CFOs work closely with their information security counterparts while performing related activities to strengthen data security and privacy, including the following:

• Pursuing multilateral education: In addition to educating CIOs and information security leaders on materiality assessments, board reporting on financial statement disclosures, and organizational (and personal) risks of cybersecurity disclosure errors and misstatements, CFOs learn about incident recovery costs, remediation efforts, and the nature of compromises. data from their CISO counterparts. And both CFOs and CIOs make up the boards.
• Improving board reporting: CFOs must ensure that their boards have timely access to information about cybersecurity risks and capabilities by helping to define roles, responsibilities and collaborations between the disclosure committee, individual directors, preparers of financial and public reports and other contributors to the disclosure process.
• Establishing and reinforcing liability: While backup signatures provide a “chain of attestation,” they may not provide assurance that reliable information is provided to management for timely disclosure. Instead, CFOs create a “chain of responsibility” by linking required disclosures with internal reporting processes that provide the necessary information in a timely manner to those making disclosure decisions.

Other work related to the new disclosure and reporting requirements also reflects the CFO’s increasingly hands-on role in cybersecurity. Financial leaders develop new materiality frameworks for security and privacy breaches and monitor how cybersecurity disclosures from other publicly traded companies are evolving (and, when requested, recalibrate their own disclosures to reflect best practices).

In addition, CFOs continue to collaborate with their senior and executive colleagues to find new ways to strengthen the organization’s overall cybersecurity processes as regulators, negative actors, and investors increase their scrutiny of this crucial capability.

Interested in learning more? Reading TRANSFORM: Assessing CFO and CFO perspectives and priorities for the year aheadTO www.protiviti.com/financesurvey.