Security

The CFO's Role in the Data Breach War

Finance, working with IT, increasingly must manage the serious risks, from planning to handling fallout.

By Fred O'Connor

The disturbing rash of data breaches in recent years has demonstrated that data security –- always a huge concern of CFOs -- affects every company and its customers. Entertainment sites, clothing retailers, grocers, financial services institutions are only the latest and most obvious of organizations to have had IT systems compromised, or sensitive information stolen.

Traditionally, of course, data protection falls mainly in the IT department's domain. But while CIOs may manage the Wi-Fi networks and servers that criminals target, CFOs approve IT spending, and are often responsible for handling repercussions of a breach. That suggests that they should have a lot to say about data security planning, too, to go with their deep involvement in dealing with the fallout -- from notifying the parties affected by breaches, to reporting on the financial consequences.

Further, CFOs should serve as facilitators in helping "business managers treat security as an economic requirement," says Jay Heiser, a Gartner research vice president whose focus areas include IT risk assessment and management. And that’s something that finance people may do better than techies, because they’re not security wonks.

Data breaches "can absolutely impact your bottom line," says Mike Dandini, head of the management and professional liability underwriting unit at The Hartford, the insurance giant. Cyberinsurance, he adds, is the second most asked about management liability product these days.

"The real issue comes down to how much data do they store," he says. "Do they keep a lot of personal, identifiable information. But also, for any company, your trade secrets, your proprietary information, all of that could be at risk. So from a CFO's perspective, that could impact revenues, good will, reputation and client trust. That all comes down to cost, whether its lost revenues, or whether it’s remediation."

Three That Hurt

And the consequences of breaches at Sony, TJX Cos. and the Hannaford supermarket chain, to name just three, have illustrated just how costly they can be.