Cyber and the CFO A report by ACCA and Chartered Accountants Australia and New Zealand together with Macquarie University and Optus© The Association of Chartered Certified Accountants, May 2019About ACCA ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants, offering business-relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management.ACCA supports its 208,000 members and 503,000 students in 179 countries, helping them to develop successful careers in accounting and business, with the skills required by employers. ACCA works through a network of 104 offices and centres and more than 7,300 Approved Employers worldwide, who provide high standards of employee learning and development. Through its public interest remit, ACCA promotes appropriate regulation of accounting and conducts relevant research to ensure accountancy continues to grow in reputation and influence. ACCA is currently introducing major innovations to its flagship qualification to ensure its members and future members continue to be the most valued, up to date and sought-after accountancy professionals globally.Founded in 1904, ACCA has consistently held unique core values: opportunity, diversity, innovation, integrity and accountability. More information is here: accaglobalAbout Chartered Accountants Australia and New Zealand Chartered Accountants Australia and New Zealand (Chartered Accountants ANZ) is a professional body comprised of over 120,000 diverse, talented and financially astute members who utilise their skills every day to make a difference for businesses the world over. Members are known for their professional integrity, principled judgment, financial discipline and a forward-looking approach to business which contributes to the prosperity of our nations. We focus on the education and lifelong learning of our members, and engage in advocacy and thought leadership in areas of public interest that impact the economy and domestic and international markets. We are a member of the International Federation of Accountants, and are connected globally through the 800,000-strong Global Accounting Alliance and Chartered Accountants Worldwide which brings together leading Institutes in Australia, England and Wales, Ireland, New Zealand, Scotland and South Africa to support and promote over 320,000 Chartered Accountants in more than 180 countries. We also have a strategic alliance with the Association of Chartered Certified Accountants. About the Optus Macquarie University Cyber Security HubLaunched in 2016, the Optus Macquarie University Cyber Security Hub is an exciting collaboration between Macquarie University and Optus. This AUD10 million joint investment is the first initiative of its kind in Australia addressing this profoundly multifaceted challenge that is cyber security by linking academics in information security, corporate governance, financial risk, criminology, intelligence, law and psychology together with cyber security experts from industry and government.The Cyber Security Hub forms a network of academic, business and government leaders: Providing expertise and leadership in cyber security regarding technology, governance, policies and human factors; Offering a platform for exchange between academics and practitioners from business and government; Conducting cross-cutting research across several disciplines in the field of privacy, cyber physical systems security, secure artificial intelligence and human-centric security; Training the next generation of cyber security specialists as well as raising awareness among our leaders and developing the skills of the existing workforce.About OptusAt Optus, were passionate about creating compelling customer and employee experiences, and bringing to life the spaces and things that make this possible.Its about empowering our customers to thrive in an age of unprecedented digital disruption. And it's why Optus is trusted by thousands of Australian organisations who value a partner that understands the full breadth of managed technology and services from applications, security, cloud-led ICT, to collaboration and contact centres. All underpinned by our smart and secure network.Backed by the international strength of the Singtel group and the power of our mobile, fixed and satellite networks, regional strength and local expertise, Optus Business brings together best of breed partners to create the solution thats right for Australian organisations.No longer is it about products and services, but a connected digital experience that empowers people to do more.Cyber and the CFOAbout this reportIn October 2018, ACCA and Chartered Accountants ANZ, together with Macquarie University and Optus, conducted a survey among their members globally to seek their views on cyber security and its implications for the finance function.This report shares the results of the global survey and draws insights from several interviews conducted as part of the research.Over 1,500 survey responses were gathered from a broad range of sectors, as follows.Employees Sector Rolen 0 - 9 employees, 7%n 10 - 49 employees, 12%n 50 - 249 employees, 17%n 250 - 1,000 employees, 22%n 1,001 - 2,500 employees, 11%n 2,501 - 5,000 employees, 9%n 5,000 + employees, 22%n Public practice (accountancy firm / SMP/ sole practitioner), 13%n Public sector (including government), 17%n Financial services (including banks or insurance companies), 17%n Not-for-profit, 7%n Corporate sector (including industry and commerce), 39%n Other, 7%n Chief Financial Officer (CFO) / Finance Director, 10%n Chief Operating Officer (COO), 1%n Director / Executive / Partner, 6%n Accountant / Financial Accountant / Management Accountant, 31%n Internal Auditor, 9%n Financial Controller, 9%n Sole practitioner / self-employed, 1%n Other, 33%AcknowledgementsACCA, Chartered Accountants ANZ, Macquarie University and Optus would like to thank all individuals and organisations that have contributed to producing this report.Helen BrandChief Executive ACCA4ForewordRick EllisChief Executive Chartered Accountants Australia and New ZealandYet, cyber security is not often seen as a business risk; we seem content to leave it to a focused group of professionals who have strong technical ability but may not have the financial awareness necessary for evaluating the potential consequences of a security breach. It cannot be left to the information technology professionals alone.Finance professionals need to take advantage of the education programmes available to them to ensure that they have enough up-to-date technical knowledge. They are not required to be experts; rather, they need to be sufficiently competent in this area to assess and manage the level of risk. They need to be able to evaluate the investment case and to support the necessary prevention activities. It is however not just about prevention, because failure here is potentially inevitable. It is also about being able to manage effectively the consequences of a successful attack consequences that can be measured in reputational damage and fines. Some of these instances are more visible than others as media attention focuses on data privacy issues and the majority probably get less publicity but still affect supply chains and confidence.The finance community cannot ignore cyber risk. It is a complex issue but one that finance professionals need to become very familiar with. This report sets out the case for this and contextualises many of the cyber risks, some much less known than others but equally plausible and potentially even more devastating for organisations.Finance professionals need to understand and play their full role in managing cyber risk in their organisations. Weakness in cyber security is a significant business risk across all organisations. The level of threat evolves and changes as technology changes. Organisations are, however, increasingly connected and this too transforms the risk profile. Professor David WilkinsonDeputy Vice-Chancellor (Corporate Engagement and Advancement) Macquarie UniversityStuart MortChief Technology Officer Cyber Security it is also responsible for some of the most sensitive and valuable data the organisation possesses. The CFO will play a key role in identifying the information that it is most important to protect.1.2 EFFECTIVE CYBER RISK MANAGEMENT AND GOVERNANCEThe CFO should also be able to participate fully in a robust discussion about cyber security with the board, the wider organisation and outside stakeholders, and to position it as a business and commercial risk to be mitigated by a range of measures, not all of which are technological. Finance also has the skills to oversee audit, inventory, testing and compliance, and will take the lead in the assessment and underwriting of cyber insurance.CFOs need to use their existing role in the organisation to promote cyber-security: the CFO and the finance department are highly trusted and experienced in explaining the business logic behind the financial restrictions and controls they implement.In the event of an attack, the CFO will naturally be one of those who are expected to provide accurate assessments of the potential damage and lead both internal and external actions and communications to relevant stakeholders.1. Why does cyber risk management matter?8Cyber and the CFO | 1. Why does cyber risk management matter?And finance is in the front line of attack. Not only is financial data under attack but cyber-attackers will also target the finance department and personnel directly in their attempts to steal and defraud. CFOs need to engage with IT to ensure that their own vulnerabilities are both understood and addressed.Cyber security can seem like a daunting task: the technologies of both defence and attack can be complex and the jargon can be impenetrable. But the threat only exists in a wider context of human behaviour and corporate culture. CFOs do not need to become technical experts in cyber-attacks and their prevention, but they will serve their organisations best by being fully aware of the range of cyber threats and promoting cyber security.Cyber security is not just an issue for the IT department. It is a business risk that affects everybody. This fundamental issue is considered in Chapter 3, section 3.1. Before considering the nature of the risk, in Chapter 2 we review the results of a survey undertaken in late 2018 of ACCA and Chartered Accountants ANZ members and their attitudes to cyber risk and understanding of cyber threats.1.3 SIZE DOES NOT MATTERIt would be wrong to assume that only larger organisations are affected by cyber-crime. The balance is shifting in that organisations of any size are vulnerable as the threat profile evolves. Whether your organisation is large or small, a sole trader or a large multinational, you need to be aware of the impact of cyber risk. Our survey showed no area for complacency.Supply chains are becoming more complex and the demands placed upon small and medium-sized enterprises by others in the supply chain mean that they too need to have an appropriate level of cyber protection. It is frequently seen as a burden that is placed upon them yet is now essential for conducting business.Smaller entities face their own issues in maintaining effective cyber security. As the nature of the threat continues to evolve, keeping up with the extent of the threat and the increasing level of complexity of attacks can be challenging from a resource and a cost perspective. Yet, to fail to do so may preclude the organisation from obtaining contracts. Collaboration and use of available resources, such as those provided by national authorities, are key to addressing this for these entities.1.4 THIS REPORTIn Chapter 2 of this report we consider how those in the finance community assess their level of understanding of: the business impact of cyber (sections 2.1 and 2.2); where the responsibility and accountability lie (section 2.3); the relationship of cyber risk and governance (section 2.4); the importance of data management (section 2.5); the impact of cyber-attacks (section 2.6), and our response (section 2.7).Chapters 3 to 5 consider how we manage the cyber risk in organisations and the role that finance should be playing in this.In Chapter 6 considers a number of the elements of the cyber risk, it: explains the lifecycle of a cyber-attack (section 6.1); considers the nature of the threats that organisations currently know that they face (section 6.2) and those that are emerging (section 6.3); discusses risks arising from those with whom we interact as we live in a connected world where these contacts can also put us at risk (section 6.4); considers the overarching human aspect of cyber risk (section 6.5), and explores attempts to quantify cyber risk (section 6.6). Throughout the report we refer to guidance and standards available from governments and other organisations. Reference is made to ISO/IEC 27001 in Chapter 3, section 3.4 together with SOC (Service Organisation Control report) 2 and SOC 3 standards.Chapter 7 provides a summary of key practical actions for each of the board, finance teams and users.Cyber security is not just an issue for the IT department. It is a business risk that affects everybody.92.1 CYBER SECURITY THE STATE OF PLAYWhile many CFOs will comment that they are aware of the level of cyber risk likely to occur, our research suggests that CFOs need to be much more proactive. Cyber security is not just an issue of protecting assets, updating software and ensuring that you have up-to-date virus protection installed, it is increasingly a business issue in its own right, one that can lead to significant reputational damage or financial loss if an organisation is not prepared for the inevitable eventuality a successful attack.Financial and reputational implicationsWhen TalkTalk, a UK telecommunications and internet service provider, was attacked in 2015 the immediate impacts were widely reported: 157,000 personal details were stolen. The estimated cost to TalkTalk was £77m, including a £400,000 fine levied by the UK Information Commissioner (Lyons 2018). Commenting on this case, the UK Information Commissioner, Elizabeth Denham, said: TalkTalk's failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk's systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate from their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.Less widely reported in this case were the companys subsequent loss of 90,000 customers and the immediate 10% drop in its share price a