The CFO's Role in the Data Breach War
The disturbing rash of data breaches in recent years has demonstrated that data security -- always a huge concern of CFOs -- affects every company and its customers. Entertainment sites, clothing retailers, grocers, financial services institutions are only the latest and most obvious of organizations to have had IT systems compromised, or sensitive information stolen.
Traditionally, of course, data protection falls mainly in the IT department's domain. But while CIOs may manage the Wi-Fi networks and servers that criminals target, CFOs approve IT spending, and are often responsible for handling repercussions of a breach. That suggests that they should have a lot to say about data security planning, too, to go with their deep involvement in dealing with the fallout -- from notifying the parties affected by breaches, to reporting on the financial consequences.
Further, CFOs should serve as facilitators in helping "business managers treat security as an economic requirement," said Jay Heiser, a Gartner research vice president whose focus areas include IT risk assessment and management. And that's something that finance people may do better than techies, because they're not security wonks.
Data breaches "can absolutely impact your bottom line," said Mike Dandini, head of the management and professional liability underwriting unit at The Hartford, the insurance giant. Cyberinsurance, he added, is the second most asked about management liability product these days.
"The real issue comes down to how much data to they store," he said. "Do they keep a lot of personally identifiable information. But also, for any company, your trade secrets, your proprietary information, all of that could be at risk. So from a CFO's perspective, that could impact revenues, good will, reputation and client trust. That all comes down to cost, whether its lost revenues, or whether it's remediation."
And the consequences of breaches at Sony, TJX Cos. and the Hannaford supermarket chain, to name just three, have illustrated just how costly they can be.
Sony, which suffered multiple data breaches across its online entertainment sites in April, initially estimated clean-up costs at least $171 million. It had to warn investors that the breach, which affected 101 million users and ranks as one of the largest to date, would have a sharp impact on its fiscal 2011 year. One major cost: the free year of identity-theft monitoring that the company is offering PlayStation Network and Qriocity users whose names, addresses, birth dates, purchase histories and online identifications were stolen.
The repercussions of an 18-month hack that began in July 2005 cost TJX, parent company of clothing chains TJ Maxx and Marshalls, $256 million. The retailer saw $118 million erased from its 2007 second-quarter profits to deal with the attack, during which hackers made off with 45.6 million credit and debit card numbers.
The Hannaford chain likely will see in its legal expenses soar after a recent federal appeals court decision related to a 2007 data breach. The ruling allows a class-action lawsuit against Hannaford to proceed. Victims are seeking compensation for the measures they took to protect themselves from identity theft and fraud after perpetrators pilfered 4.2 million credit and debit card numbers.
Hackers target small businesses as well, noted Dandini, who said The Hartford has seen so much demand for data breach insurance for smaller companies that it recently launched a product especially for that market.
Hackers realize that "so much of our economy right now is made up of small businesses," he explained. "They may have to hit five or six small businesses to get the same take, but it will be easier than hitting one large one."
Often, these smaller firms lack the capital needed to shore up their systems against attacks, explained Dandini. For business both small and large, CFOs now are finding themselves with fiduciary responsibility in data-protection cases. And nowhere is this clearer than in U.S. government legislation such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, along with various state regulations, he said.
The requirements range from the simple protection of people's medical records to guarding the unique and proprietary trademark material for which companies are responsible. Any time "a company gets hit because they didn't have adequate protections," the case can make its way to the boardroom, said Dandini.
Ensuring that a business has proper IT defenses requires CFOs to work closely with CIOs on capital investments, among other things. And when CIOs bring up IT security spending, Dandini said, CFOs "understand that they're investing dollars to not have to spend dollars somewhere else." The CIO's task is to explain how the investment ultimately will save the organization money, and how the enterprise must avoid "granular IT-speak about the applications and [instead] spend the time talking about impact to business."
Further, finance chiefs must listen to CIOs when they press the case "to understand [that] we may spend $500,000 for some IT that protects us," by pointing out the costs and other ramifications of failing to spend the funds, and putting the potential loss in a larger context.
"If we don't have that, the likelihood of an event happening would be two or three times more likely, and that could cost $2 million," instead of a much smaller amount, said Dandini. "A lot of mistakes CIOs made in the past [involved focusing] on the technical aspects of the things that [they] were purchasing," and the possibility of gain "wasn't as meaningful as .... the consequences" of loss.
While a CFO with some knowledge of the technology involved may be helpful when making spending decisions, Dandini believes the finance involvement must be much deeper. It calls for an approach to security that involves gaining input from across an enterprise, he said, creating a much more holistic security plan, in which every department considers the impact of a data loss on them, and the wider business.
This broader team approach to data protection allows departments to understand the costs to the enterprise. Rather, the individual departments then take responsibility for IT security themselves, so the units "are no longer throwing that moral hazard hot potato" to the CIO, said Gartner's Heiser.
"The CFO has a strategic role in encouraging the policies and processes that enable the business to handle the risk themselves," said Heiser. "It's unrealistic to expect the CFO to understand security completely, as it is for the security professional to understand finance completely."
CFOs should first aid managers in determining the data's sensitivity and defining security goals, he said. This will help enterprises calculate the cost of the security being provided.
For data ranked high, the CFO should help the manager "figure out an economically appropriate set of controls and countermeasures," to protect the sensitive information. Standard security procedures may cover less sensitive data. So, Heiser said, the idea is to keep things simple, he said.
"There don't have to be many goals. Ultimately confidentiality, integrity and availability are goals," he added. "I find that getting anymore granular than three things is hard."
Next, consider security "across the life cycle of IT, from turning things on, to turning things off, to throwing things away." Dated laptops still contain sensitive information unless they are properly managed, he noted.
Managing the process broadly allows individual departments to see "the risk ramifications of their data." This method also creates a framework that should be applied to new IT projects to ensure that security is considered from the planning phase.
"It's not reasonable to expect [IT departments] to a do a good job at that, if they haven't been given a simple but useful framework," said Heiser.
And making data security a priority becomes a wiser decision all the time, since criminals are consistently developing more sophisticated cyberattacks, according to The Hartford's Dandini.
He said that "even as more protections come online, the perpetrators get that much more crafty, and then you have to go and find new solutions to deal with it."
Data-breach threats are here to stay. "They may change slightly," said Dandini, "but by no means will they go away."