This article was first published in the June 2017 UK edition of Accounting and Business magazine.

Cybersecurity is an issue of mounting importance. More and more companies find themselves at the mercy of unscrupulous individuals and organisations that use digital wizardry to wreak havoc on businesses ill-equipped to cope.

It’s not a new problem, but the sheer scale of the issue means that company executives and boardrooms must evolve if they are to be diligent to the needs of shareholders. 

A brief look back at 2016 offers an alarming reminder of the world we now operate in. There was a huge, coordinated attack on the Swift banking network and a surge in ransomware (where sensitive data is compromised, and a ransom must be paid for things to be put back as they were). Yahoo confirmed that the emails, usernames and passwords of 500 million of its users had been compromised in a 2014 attack, and that a billion had been hit in an attack in 2013. And most relevant of all to AB readers was the report that a CFO at €3bn-revenue German cable manufacturer Leoni had been tricked into transferring €40m into an unknown bank account because of a business-email compromise (BEC) scam. The company share price fell 5% on the back of the news. 

Structured, top-down approach

Andrea Bonime-Blanc, the CEO of GEC Risk Advisory and a Conference Board author, explores the significant and growing problem of cyber-risk governance in a recent report entitled A Strategic Cyber-Roadmap for the Board. One of the key takeaways from the report is the need for boards to take a far more structured and deliberate approach to managing cyber risk. ‘A structured, top-down approach that embeds cybersecurity management throughout a company’s infrastructure is highly desirable,’ she says. ‘The best approach is to establish a dedicated technology committee on the board.’ In addition to covering digital and technology issues generally, the committee would review cybersecurity and ensure that the overall board discusses it twice a year.

The February 2017 Deloitte cyber reporting survey exposes the reality of the situation that most companies currently find themselves in: just 5% of FTSE 100 boards have a director who has direct specialist cybersecurity expertise. ‘In the light of so many cyber events in the news, corporate boardrooms are beginning to understand the complexities and reputational risks they face,’ says Dominic Cockram, a partner with Deloitte-owned reputation management firm Regester Larkin. ‘However, for some there is still no clear “owner”.’

For the finance professional, all of this is a concern, not least because as guardians of the corporate purse strings, CFOs and their teams are prime targets for a growing underworld of hackers, phishers and scammers. Last year, the US Federal Bureau of Investigation (FBI) sought to raise awareness of BEC scams with the announcement of a 1,300% increase in BEC scams since January 2015 and that US$3.1bn had been defrauded between 2013 and 2015, affecting 22,000 companies around the world. 

If this wasn’t worrying enough, the Leoni CFO won’t be the only finance professional who falls for a BEC scam. According to security company Trend Micro, CFOs are by far the most widely targeted executive (40%) of BEC attacks. When other finance function titles are included, the figure rises to almost two-thirds of all instances. The truth is - and perhaps we shouldn’t be surprised here - the finance function is the prime target for cybercriminals. 

Weak links?

The deeper concern, however, is that perhaps finance – and senior leaders more generally - are soft targets because the overall digital capabilities of traditional professions such as finance and accounting are poor. 

Ade McCormack is a digital adviser, FT columnist and founder of Auridian Consulting. He believes that senior executives and company boards have a long way to go before they are digitally competent enough to thrive – let alone survive - in the current environment. ‘What’s worrying is that in a digital-age organisation, everybody in the boardroom should be digitally competent - digital isn’t a role, it’s a competency,’ he says. ‘What we have is nobody in the boardroom who gets digital or who gets IT. For me, that’s malgovernance, and as business becomes more data-driven, eventually analysts and investors will pick up on that.’

McCormack has many years’ experience advising boardrooms on the impact of digital disruption, including some of the Big Four, and while the issue of cybersecurity is a concern and a significant risk, he is interested in helping companies to maximise the potential upside of digital disruption. He says: ‘Understandably, leaders, and particularly those who are stuck with Wall Street and the City, tend not to think beyond the next three months to a year. What we’re asking them to do here is to think about the future of the business, and what we’re then asking them to think about is the sacrifices they are going to make now.’

He says that what smart digital leaders are doing is sacrificing cashflow today to take advantage of opportunities and manage risks that will arise in the future. He explains the future in three horizons. The first is simply getting IT systems up to a point where you can play in the digital space; the second is to develop an environment where people and technology are very highly integrated (and that includes robots and algorithms in the workplace); and the third horizon is robots and algorithms only in the workplace. 

For a profession that is acutely aware of the impact that artificial intelligence and data science might have on it, McCormack’s words are something of a warning signal: act now, and plan and evolve business models fit for a digital future.  

‘Different organisations have different understandings of what a digital transformation is, and some don’t understand that it’s a fundamental shift in the way business is conducted, where they have to regularly refresh their business models,’ says McCormack. ‘Some get that, and some don’t. If those that don’t are not already facing disruption, then disruption is making its way to reception.’ 

David Rae, journalist