News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Don’t read the word “cybersecurity” and assume it’s a problem for your IT department or CISO: In 2023, cybersecurity is firmly a CFO issue, according to Naj Adib, an advisory principal in Deloitte’s cyber and strategic risk practice.
And a new Deloitte report shows a business landscape increasingly focused on cybersecurity. According to the group’s August poll of more than 1,300 public company executives, nearly 65% say they have plans to strengthen their cybersecurity programs.
“Day in and day out, [everyone is] dealing with cyber risk,” Adib told CFO Brew.
Costly problem. Cybersecurity is the ultimate risk factor: In 2023, the average cost of a data breach worldwide was $4.45 million, marking a 15% increase in the last three years, according to a 2023 IBM report.
After a data breach, publicly traded companies endure a 7.5% decline in stock values on average, plus a mean market cap loss of $5.4 billion, according to 2019 research cited in the Harvard Business Review from data protection company Bitglass, which has since joined Forcepoint.
Ready, set, go. And publicly traded companies will soon be legally required to disclose the specifics of breaches to the Securities and Exchange Commission (SEC).
In July, the SEC adopted a new set of rules which will soon require public companies to report material cybersecurity breaches, as well as annually disclose information about cybersecurity “risk management, strategy, and governance.”
As a result of the new rules, Deloitte found that many orgs seem ready to step up their game. They’ve had time to prepare: 53% of respondents said their companies have already been planning for the new rules, a third each for up to six months, six to 12 months, or more than a year.
“There’s been quite a high level of engagement relative to this rule, because cyber iss on everybody’s mind,” Adib explained.
Left behind? So, what to make of the 26.1% of survey respondents who say they have yet to start preparing for SEC compliance? It’s just a matter of time, Adib cautioned.
Many of the SEC’s requirements are “core, critical cyber capabilities” that organizations have likely already invested in, he explained. The companies that haven’t prepared yet are likely mulling over nuances within the rules, Adib said. “They’ll want to start to think about it relatively soon,” he added.
“Cyber is table stakes,” Adib said. “Most organizations, regardless of the final rules, are investing to strengthen their cyber programs.”