AP_COM_CB_1

This article was first published in the July/August 2017 China edition of Accounting and Business magazine.

At the 8th CFO Innovation Asia Forum in Singapore in May, the 400 or so senior finance executives in attendance were polled on whether their company was affected by the WannaCry ransomware that had been launched globally earlier that week. More than nine out of 10 (96%) replied in the negative.

But there was no mistaking the interest in the panel discussion on cybersecurity and the finance function. As one panellist put it, WannaCry may not have been as widespread and destructive as feared, but it has planted the seeds for future attacks. 

So what can CFOs and others in the company do? First, acquire knowledge. Understand what WannaCry and other similar ransomware viruses are and what they do. According to Marsh, an insurance broker and risk management company, ransomware ‘holds data ransom by encrypting it and demanding payment for the decryption’.

What is new with WannaCry is that it does not rely on someone clicking on an infected link or attachment. Explains Marsh: ‘It is a worm which, once inside an organisation, searches for vulnerable machines, and infects a large number of these machines quickly even without any user involvement.’

That very few at the forum reported experiencing an infection is testament, perhaps, to the absence of vulnerable machines in the organisation or the effectiveness of their cyber defences. Or it may be that Singapore companies had been prompt in patching up the vulnerabilities in the Windows operating system when Microsoft released an ‘extremely critical’ security update in March. Other organisations that fell victim, such as two hospitals in Indonesia, had not been as alert.  

These are all good, basic hygiene steps, but there’s no guarantee they will be enough the next time around. Marsh and Aon, another risk management company, both recommend that enterprises also take out insurance; this ‘can be a powerful way to minimise the impact and cost of a breach,’ says Aon.

One panellist, the financial controller of a logistics and e-commerce company, said that insurance coverage is part of her organisation’s cybersecurity defences. But another, the CFO of an online grocery chain, said it was not.

‘We are a native digital company,’ explained this CFO; the company has integrated security in every nook and cranny of its systems and therefore feels confident it can withstand cyberattacks The CFO conceded, however, that his company may need to take out insurance if the extent, virulence and sophistication of ransomware and other cyber-attacks intensify. 

There was some pushback to the idea of insurance, with one CFO asking whether premiums could be better used to improve cyber defences.Maybe so, but it’s not necessarily an either-or equation. In mitigating cyber risk, insurance may have a place in a company’s armoury, particularly when financial data and processes are in the cloud. However, it should not replace a robust end-to-end set of defences. 

Cesar Bacani is editor-in-chief of CFO Innovation