Be prepared incident response plans help stem costs of a cyberattack.

• Author: Westfall, Skip
• Position: CYBERSECURITY

Cyberattacks aren't something any financial executive wants to think about, but failing to consider the likelihood of an attack occurring isn't an option either. Like most unwanted corporate events, failing to plan for a possible cyberattack drives up the costs if one occurs.

U.S. companies experience some of the highest costs from cyberattacks, according to the 2014 Cost of Data Breach Study from the Ponemon Institute. The report put the average total cost of a single data breach to U.S. companies at $5.9 million, and $195 per record of information. Among companies representing 10 countries, those in the U.S. also experienced the highest costs associated with post-breach activities and related to lost business.

The Ponemon study emphasized, however, what many proactive financial executives already know: by taking certain actions, they can potentially reduce the costs associated with a data breach. For instance, companies with an incident management plan were able to reduce the cost per compromised record by $12.77. Not only is it economically prudent to have an incident response (IR) plan, it's a common-sense precaution that financial executives should insist upon.

After all, CFOs, in particular, bear some responsibility for cybersecurity. They are often expected to assess cybersecurity risks, help align cyber security strategy with business objectives and get buy-in from the board on necessary cybersecurity investments. Not to mention, the CFO is inevitably involved in helping to clean up the financial and legal mess that typically accompanies a data breach. CFOs are also in the best position to address the scrutiny companies may receive from the SEC in the aftermath of a cyberattack because the commission has listed cybersecurity as a priority in its compliance examination program.

Preparing for a Breach

CFOs can be instrumental in helping their organizations prepare for a possible cyberattack. Hoping it won't happen or simply transferring responsibility for cybersecurity to the IT department are not good options. Financial executives can help their organizations shore up their cybersecurity defenses with the following actions:

(1) Take inventory of your assets. Knowing the types of data the company has and their locations is a first step toward protecting valuable information assets. Through the process of data mapping and classification, organizations can identify and locate their sensitive data. Think of it as the digital equivalent...