In late 2017, one of the "big four" auditors was hacked:
"A bombshell report on Monday revealed [...] a major cyber attack that compromised [auditor's] email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms."
"sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data"
"Those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives."
Imagine you're the CEO, COO, CFO or board member of a large company and you see an article like the one referenced, but listing your auditor as the one hacked. Are you concerned that sensitive internal data may now be at risk? What about employee or customer data? Will your competitors find out?
It Was Predictable
Even the best, brightest tech companies and banks have been hacked and breached. No matter how much time and expertise is available, every perimeter has openings. Zero-day exploits. Missing or delayed patches. System mis-configurations. Forgotten security modules. Missing IP restrictions. Human error.
The reality is, auditors are targets. Criminals know they are awash in sensitive client data. And despite having a lot of great capabilities, they likely spend more effort on their clients behalf, not their own. (The auditor mentioned by name has a huge cyber security practice, for example - it didn't save them.)
Auditing is also a reality for the large or regulated enterprise. Every quarter at least two sets of disclosures have to leave the corporate perimeter to ensure audited results are available for board meetings. The first is to the pre-audit team. The second is to the audit team proper. Most of the data provided to the second group becomes public in time. But the discussions and broad disclosures to the first team usually don't - and never, ever stop being sensitive.
They Don't Need Copies
From the perspective of a financial officer, neither pre-audit or audit teams require copies of the disclosures. They only need to see the documents, record them, and likely enter key data items into their own internal system. Defending that system is their problem, not yours. Your sensitive documents, with your corporate logo - among other things - should never, ever be copied and stored in their system.
Financial & Reputation Impact
The cost of data breaches reached record highs in 2019. That said, it likely isn't an issue for auditors. They rarely review large amounts of raw data such as customers data with PII or PHI, and if there was a need to do that, they would likely sign an BAA or other agreement covering specific data sharing.
Damage to a company's reputation, though, can be severe, impacting sales, stock performance, hiring, partnerships and more. A survey by another big four firm showed that 87% of consumers will take their business to a competitor if they don’t trust a company to handle their data responsibly.
Enter The CFO
As a result of this emerging reality, CFOs at the most risk-aware companies have expanded their roles to include managing financial risk due to data breaches. Five key steps for they can take to secure their company for their shareholders:
1. Tweak The Budget
A key transformation is to direct budget flows to reduce risk around sharing with auditors and other critical external parties. This can start at the infrastructural financial level, partnering with CISO and IT teams to set the right level of cyberinsurance coverage and ensure that appropriate governance procedures. The CFO can play a critical role bridging the reality of cash and spending with the rising costs of cleaning up after breaches. In particular they can tie the cost of cloud asset scaling against agreed expense (or revenue) levels. This ensures overall cloud transitional costs are linked to growth.
2. Design For Compliance
Beyond taking ownership, CFOs can organize and aid managers in mapping out data sharing scenarios, pushing them to determine sensitivity, upside of sharing - and align goals around containment and trace-ability. This helps understand, weight and prioritize the cost of security provided, and highlights risk areas. When sensitive data needs to be shared, especially in volume, the CFO should work with business managers to identify the appropriate controls required.
3. Represent Employees
Internal data breaches usually impact employees professional and personal lives. For example, publishing an employees corporate email address may expose them to phishing attacks. If they use their laptop for personal use, as well, the risk of additional loss is even higher. Breaches around compensation or business unit performance can be massively inflammatory and impact large numbers of employees and executives. These can in turn impact company performance, stock price - and reputation. Having the CFO take charge of the communication and response to incidents like breaches shows how seriously the company and board take them, and helps re-assure employees they won't be left to fend for themselves.
4. Prepare Answers
One of the most important reasons for the CFO to expand their role to include cyber security is communication. They are front-line communicators regarding financials and risk. Few people in the organization are better equipped to speak to the impact and response to data breaches. Research shows that the response to the breach is most important to reassuring investors, board members and critical partners that the business will survive.
Every CFO should be able to answer questions from their board, executives or management team, including:
Stay In Control
Fine-Grained Sharing Controls
The e-Share platform allows users to share sensitive and/or regulated data to external recipients using nothing more than a browser - no plug-ins required - in view or edit-online-only modes, so copies can't be saved and copy/paste is disabled. Alternately if auditors must have copies of data you can require watermarking with the recipient's email and IP address to ensure you can trace any unauthorized release.