Image of a bridge from the inside at night lit up

If cyber security is a significant risk, what role should the finance community play?

The cyber threat is one of the most talked about issues that businesses face today. Yet the level of awareness of the risk and the types of threats that organisations face is low. So what is the extent of awareness of the cyber threat amongst the finance community? And what are the cyber threats we’re facing?

It matters to finance

A successful cyber-attack has many implications for organisations, the majority of which have financial impacts. It is not just a question of a virus infecting an application. Attacks are more sophisticated as illustrated by the eight stage cycle shown here:

Graphic: Attacks are sophisticated and can follow the eight-stage cycle: Reconnaissance, scanning, access and escalate, exfiltration, sustainment, assault, obfuscation, post-exploitation and persistence.

A successful cyber-attack can result in fines from regulators, reputational loss leading to loss of revenue and the costs associated with remediation and recovery from the attack.  Each of these can be quite significant. It is no longer just a technical IT issue.

How prepared are we?

It is important to have an appropriate and well tested recovery and resilience plan, yet for many organisations this might not be the case. Investment in being prepared is essential in the connected world.

Figure 2.11: Does your organisation have a remediation plan in place (one enacted to enable an organisation to recover after an event), to manage the impact of a successful cyber-attack? 32% Yes and we update and test it regularly, 19% Yes and we update and test it infrequently, 9% Yes but we do not update it or test it, 18% I am unsure as to whether we have a plan, 7% We do not have a plan, 2% Other, 13% Don’t know.

Who do we trust?

Businesses are ever more connected in the way that they transact. This changes the way in which we see the cyber threat as it is not only the internal threat but the weakest point may be an organisation that we are connected to. Working with our supply chain to mitigate the risk is an essential part of business today. But are we aware of these vulnerabilities?

Figure 3.3a: Does your organisation undertake assessments or audits of the cyber-security vulnerabilities of those in its supply chain?: 19% Yes, on a regular basis, 15% Yes on an ad hoc basis, 6% Yes, but only when we contract with a new supplier, 27% No, 33% Don’t know.

Explore the world of cyber risk and the actions that the finance community should undertake through the report.

About ACCA author, Clive Webb