‘Cybersecurity is an issue that concerns the entire organization’
Leaders should revisit their current cybersecurity practices at least once a year depending on the size of the organization and the number of incidents (Getty Images/Skynesher)
While cybersecurity used to be considered the exclusive domain of IT, it has become increasingly apparent that the function extends far beyond the confines of that department. In fact, it involves all facets of operations, from IT and legal, to privacy, marketing and finance.
Like other senior leaders, CPAs have an active part to play in the realm of cybersecurity, from helping an organization stand on guard against cyber threats to assessing a situation and determining next steps if an incident takes place.
“CPAs have a vital role throughout the whole cybersecurity process,” says CPA Will Xiang, vice-president, cybersecurity, data analytics and privacy at Richter. “Not only do they have the advantage of being very pragmatic, but they are at the intersection of finance and business—and, in some cases, risk, compliance and IT as well.”
HOW THE CYBERSECURITY LANDSCAPE HAS CHANGED
Cybersecurity has evolved considerably over the years as hackers have become more sophisticated in their attacks and use of technology tools. COVID also accelerated the digitization process in many organizations, placing more data, financial and client information at risk.
“Cyber risk has always been there. Now it is becoming more prevalent, and stakeholders are expected to be knowledgeable and take action,” says Xiang.
There are two key aspects to cybersecurity challenges today, says Cathy Cobey, FCPA, Canadian technology risk leader, EY Canada. “First, cyberhackers themselves have become very organized to the point where they are run like corporations. With robotics and AI to help them, they can attack every minute of the day until they eventually find an opening. It’s hard to always be on top of that.”
The second aspect is that attacks no longer come solely from the outside in, says Cobey. “Protecting the perimeter is not enough to keep hackers out. They are becoming very proficient at entering organizations through phishing emails or other types of seemingly innocuous or routine interchanges. They are really good at pretending to be someone else and getting insiders to inadvertently let them in.”
CROSS-DISCIPLINE COLLABORATION IS KEY
“Cyber incidents can affect all senior leadership roles,” says Cobey. “The strongest companies are those that recognize cybersecurity is an issue that concerns the entire organization.”
Tabletop exercises are one way to get ahead of potential breaches. With these exercises, all the business and technical groups are brought in to respond to a simulated incident. “They can be very useful, as they will walk you through the timelines, who gets affected, communications, and who is involved in approvals,” says Cobey. “They help people to really understand how incidents happen, how to manage them, and who needs to get involved.”
CPAs and finance leaders should be fully engaged in tabletop conversations as they can help address issues such as paying ransomware attackers and the potential financial and reputational impact on the company, says Xiang. “They also need to be there to provide input around regulatory compliance requirements and reporting.”
At Richter, tabletop sessions are the first in a three-stage cybersecurity process that moves up the ranks to the C-suite and board of directors, he explains. “Organizations need to be proactive by bringing the right people together and securing the board’s agreement before a breach happens. It’s much better to test things out and get people thinking on the same page.”
Richter goes through the process of simulating an attack with all the executives to see what decisions need to be taken at each stage, he explains. “An example might be a phishing scam or a breach involving financial data. The questions a finance leader might ask include: Do we have the controls in place to stop wire fraud from happening? Do the systems affected have anything to do with finance? Should we pay the ransom and if so, is the payment covered by insurance?”
Cobey has also seen a growing corporate interest in establishing “fusion centres” that bring together multiple disciplines to address cybersecurity. Participants can include the cybersecurity, legal, privacy, IT and other groups.
“Creating fusion centres allows groups to find areas of collaboration, react faster and understand the full breadth of a threat in order to better respond. CPAs should be asked to join the table as data and money do not operate in a vacuum.”
HOW TO STAY AHEAD OF THE CURVE
Cybersecurity requires constant vigilance on the part of all senior leaders. “When it comes to cybersecurity, what was relevant one or two years ago will not be today,” says Xiang. “The technology and sophistication of hackers keep changing.”
One important preventive action that senior leaders can take is to gain an understanding of who is attacking their sector and the types of cyber attacks they are more likely to attract, explains Xiang. “There are three risk factors to consider—financially motivated attacks, nation state attacks and activism,” he says. “Banking and accounting firms would be more vulnerable to financially motivated attacks as they hold considerable sensitive data on businesses and individuals, while the energy sector is more at risk from nation state attacks.”
Cobey also advises that leaders revisit their current practices at least once a year depending on the size of the organization and the number of incidents. Within larger companies, the board and C-suite should be getting quarterly updates from the technology team and these updates may be managed or overseen by the risk group, she notes. “Key performance and risk indicators should be tracked monthly or even weekly to see if there are any spikes or issues around the security and availability of systems.”
Other valuable tactics include regular internal phishing tests and ongoing cybersecurity training.
When investments in tools are made, CPAs play a key role in determining whether funds allocated to cybersecurity are invested wisely, says Xiang. “One thing we do at Richter is a maturity assessment to gauge how effective tools may be and if they are applied properly.”
As far as reporting is concerned, CPAs and senior leaders also need to be aware of their obligations with regard to the various authorities, including federal and provincial regulators, so that they are not scrambling to learn this information after an incident occurs, says Xiang. “Reporting can get very complicated as you may also have contracts with customers stating you must report cyber breaches within a specific time frame. There could be financial implications if you don’t meet the criteria.”
“Some organizations have disclosure committees to keep on top of the different rules,” says Cobey, adding that it’s important for CPAs and other senior leaders to keep CSA expectations and those of other applicable regulatory bodies in mind regarding reporting of cyber incidents by public companies. “Depending on the severity of an incident, the reporting timelines can be short and require legal, regulatory, or finance involvement to determine what needs to be reported, when.”
STAY PROACTIVE
Given the broad scope of cybersecurity planning, senior-ranking CPAs must be key players in leadership conversations around preventing, responding to and analyzing the impact of cyber attacks. “CPAs along with other senior leaders need to be more proactive in recognizing what risks exist, how big they are, and the fault lines within the organization,” says Cobey. “The more knowledge you have, the more proactive you can be in safeguarding yourself and your company.”
BE CYBER SAVVY
Learn about cybersecurity and privacy themes that directors should keep on their radar, and why it’s important for CPAs in all roles to gain a familiarity with the subject. Plus, check out CPA Canada’s extensive tech resources on subjects such as AI and machine learning and brush up on your knowledge with its data management foundations and advanced data management certificates.