With ransomware attacks rising, new threats on the horizon and SEC cyber disclosure rules in mind, five CFOs share how their involvement in cybersecurity has expanded.
By Russ Banham
CFO Jim Caci left software provider AvePoint in 2013 to become the finance chief at three successive businesses, before returning as its CFO in 2021.
Aside from the now-publicly traded company’s revenue growth, the biggest “then and now” difference is the budgeted capital for cybersecurity.
“When AvePoint was privately held, there were certainly cyber threats but nothing like what we have today,” said Caci. “Back then it was more a matter of `if’ we’d be subject to a cyberattack; today it’s a matter of `when.’ Cybersecurity went from a minor line-item budget consideration to an ever-growing chunk of corporate spend.”
Focusing on Resilience
AvePoint is an advanced platform designed to optimize SaaS operations. The company tallies 2,200 employees across 25 global offices and more than 17,000 customers including Citi, Bloomberg and the U.S. Department of Defense. While Caci is responsible for the budget to “do everything I can as CFO to prevent a cyberattack from occurring,” he is also a pragmatist. “The risk depends on people not doing something they shouldn’t be doing, like opening a suspicious email exposing the company to malware,” he explained.
People are human beings, after all, subject to making mistakes due to inattention, distractions or fatigue. Consequently, Caci’s budget emphasizes something else that didn’t register a decade ago: Cyber resilience, the ability to recover quickly from a cyber incident. Today, the CFO’s involvement in cyber risk deliberations, decisions and actions is considerable. He has a standing monthly call with AvePoint’s chief information security officer (CISO) and ad hoc meetings when warranted. “I’m pretty well-versed on the subject, given the need to budget for both cyber defense and resilience,” he said.
Like all finance chiefs, protecting what really matters at a price the company can afford is a front and center concern. The challenge is the resolve and war chests of threat actors, particularly cyberattacks directly linked to adversarial nation-states. Their favored form of attack is ransomware encrypting files and data to prevent access. According to NCC Group’s 2024 Cyber Threat Intelligence Report, the number of ransomware attacks last year increased 84 percent from the prior year.
Other studies paint a similarly bleak landscape. Nearly four in 10 (39 percent) middle market CFOs in BDO’s 2024 CFO Outlook Survey said that data privacy breaches pose a greater risk to the business in 2024 than in 2023. Such threats will worsen, according to a global survey by Protiviti of more than 1,100 board members and C-Suite executives. Asked for their top five risks at present and in 10 years, “cyber threats” ranked number three in 2024 and number one in 2034.
The most dramatic change since Caci last led finance at AvePoint is that Uncle Sam is watching the action. The Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure regulation requires publicly traded companies to report a material cyber incident in four days and material information regarding their cyber risk management, strategy and governance. “Three parties are ultimately accountable for the governance of our cyber readiness and SEC disclosures; that’s the CISO, legal counsel and me,” Caci said.
Fiscal Discipline
Interviews with four other CFOs indicates that they, too, are deeply engaged in helping safeguard their company from attacks, provide ongoing cyber risk awareness training and investing in cyber resiliency to maintain business continuity in the aftermath of a disruptive cyber event. “My role in my six years here as CFO has changed enormously,” said Anthony Rose, CFO at alternative small business loan lender Kapitus, which originated more than $1 billion in financing across the U.S. in 2023.
Although Kapitus is privately held, Rose complies with the SEC’s cyber risk rules to ensure the company is adequately defended and able to recover quickly. “I’m the person here best equipped to answer questions on materiality,” he said. “CFOs are also in a position to pull people together after a cyber event to understand what happened, what it means, if it’s material to our investors and how long we’re down for. It’s the natural role we play.”
Functions like enterprise risk management and internal audit also report to him, each also involved in managing cyber threats. “Enterprise risk is responsible to table-test different attack scenarios and internal audit evaluates the cyber function and recommends safeguards, better preparing us defensively and offensively,” he explained. “Like Mike Tyson said, `Everyone has a plan until they get punched in the face.’ We do what we can to keep fighting.”
Asked for an example, he cited the value of war planning exercises involving fake attack scenarios to gauge the effectiveness of the response. “The SEC wants to know if you’re prepared and the only way to do that is through `test and learn’ exercises, modifying processes based on the results,” he said, adding that the CFOs responsibility is to “establish the policy providing the steps needed to reach the goal, in this case continuous process improvements.”
His biggest responsibility is to fund these actions, the toughest task of all. “You can go nuts,” Rose said. He equated this duty to the Maginot Line, a fortified defensive barrier built by France in World War II that failed to prevent an invasion by Germany. “The risk is you keep spending so much money and it inevitably proves to be ineffective. I don’t want to be `penny-wise, pound-foolish,’ but I also don’t want to break the bank.”
To find the right balance, he relies on the knowledge and expertise of the heads of IT and information security. “They’re professionals who can explicate why they’re asking for this or that; my job is to constantly press them on the investment return, what I will get for what I give,” he said. “I ask them to prioritize their `asks,’ rank our vulnerabilities, whether more [money] should go to offense or defense, and what can wait till next year.”
Doing More with Less
CFO Amanda Aponte at SFM Mutual Insurance has been knee-deep in cyber risk management since becoming chief risk officer in 2018 at SFM, a midsized insurance company that provides workers compensation products to more than 53,000 businesses in 34 states. “As the CRO, I spent a lot of time building our framework for enterprise risk management to get a better handle on each individual risk’s potential frequency and severity,” she said.
Appointed CFO in August 2020, Aponte said this early examination revealed that cyber threats had the potential to generate not only an expensive event but also produced very high risk frequency, “which was hourly then and is now minutes today,” she said.
The experience was a valuable introduction to what could go disastrously wrong, impelling the then-CRO to establish and document the insurer’s cyber risk management processes for its auditors and board of directors.
Today as CFO, her role has expanded to provide the financial resources supporting the CIO’s oversight of front-end cybersecurity and the teams managing the back-end response to a cyber incident. “We protect our data in many ways, putting up lines of defense and then monitoring the network to detect and prevent attacks,” she said. “In terms of recovery, we have robust off-site backup systems and other ways of making sure our data is accessible. But we continue to feel that employees are our number one risk point.”
Aponte’s cyber budget prioritizes employees, insofar as investing in their training to better detect spear phishing and other cybersecurity scams opening the doors to the network. “We provide quarterly training sessions provided by an outside vendor and send mock phishing emails targeting specific employees across the business to see how they react,” she said.
In a similar vein, penetration testing is performed on different systems to discern vulnerabilities. “Afterwards, I get a priority list of three or four recommendations to put certain safeguards in place; I look at how expensive they are and then time-box them [for implementation] based on which will ones be most impactful. If it’s a high-level security issue, we put it in place right away,” she said. “Balancing the investments in cyber preparedness and response is so very important, as you could spend endless dollars trying to make yourself bulletproof.” Time-boxing is an Agile time management technique to organize project priorities and milestones.
SFM, a mutual insurer owned by its policyholders, is not a public company required to disclose material cyber events to the SEC within four days. Like Rose at Kapitus, Aponte nonetheless oversees cyber risk management as if this was the case. “We’re fortunate that the National Association of Insurance Commissioners, an organization representing state insurance regulators, has implemented a data security model law for implementation on a state-by-state basis,” she said.
The model law required licensed insurance companies to develop, implement and maintain an information security program, investigate any cybersecurity events, and notify the state insurance commissioner of such events within 72 hours. “The model law also requires insurer oversight of by third-party service providers, insofar as vetting their data protection security measures,” she said.
Managing Spend
Ken Talanian, CFO at self-learning technology platform Skillable, said finance chiefs are intensely focused on the existential threats posed by cyber risks for compelling reasons: “An attacker only has to be right once, your defense has to work 100 percent of the time and the outcome can be terrible.”
Skillable’s 200 employees provide hands-on learning and skills validation in a simulated lab environment to more than 400 global customers like IBM, Microsoft and Amazon. Talanian joined the company in January 2024 following a four-year stint at KnowBe4, where he served as senior vice president of financial planning and analysis.
“At my prior firm, I was actively involved with the CFO as cyber risks surged across industries. Now as a CFO myself, I find I’m in the center of it all, beholden to the audit committee’s questions as they become more concerned about the potential outcomes,” he said. “It’s manageable, but you can spend infinite amounts of money locking down the organization, to a point where it is no longer functional.”
Talanian meets monthly with a team that includes Skillable’s CEO, CISO and other C-Suite executives to discuss the company’s current state of cyber preparedness and resilience, and the capital needed to further both aims. Topics range from new cyber defense tools to analyzing recent spear phishing attempts. “We’ll discuss what we’re seeing in our inbound email traffic to keep a pulse on the active threats,” he said.
Another topic is the dearth of experienced cybersecurity professionals. “Much larger companies are positioned to pay the high salaries involved. Consequently, I need to manage an appropriate level of spend for third-party cybersecurity MSPs (managed services providers) to fill in gaps in internal talent, as we can’t do it all ourselves,” he said.
One area receiving special focus is spear phishing. “If someone receives an email ostensibly from a high level executive asking the employee to wire money to the executive, there’s a good chance it’s a phishing attack,” Talanian said.
In such cases, the team requires the recipient to contact the presumed email sender by phone or through Google Chat, a secure communication and collaboration tool, to verify the content. “Like all CFOs, I’m hyper-focused on processes, in terms of having the right approval levels to perform tasks,” he said.
Bigger Budgets
CFO Kara Smith at LogicGate also struggles with budgeting the right amount of spend on cyber defense and recovery. “At my last company, the CISO would come in and say, `Here’s what I need from the budget,” and I’d reply, `Okay, what do you really need?’” she said.
Smith explained that there’s a tendency among CISOs to “ask for everything, which is understandable given these are mission critical risks. People, technology and security are the most important investments in any business today. I want to be supportive and aligned in finding the funding, but I can’t give everything.”
Helping to balance her budget priorities at LogicGate, a provider of risk management and compliance solutions to customers like Hyatt International, Rite-Aid and DocuSign, is to stack rank the requested security spend. “We have a robust InfoSec team and a strong CISO leader, whom I engage with in biweekly security meetings on the programs we have in place,” said Smith. “Occasionally, he’ll ask for additional spend to bring in an outside consultant to advise on a new piece of technology to safeguard our systems. I then ask him to rank the request as a `must have,’ a `need to have’ or a `nice to have.”
To pressure-test her budget decisions, Smith solicits the advice of board member Emily Heath, a former CISO at United Airlines. “When I receive a `need to have’ stack ranking, for instance, I go to Emily and say, `What do you think?’ It helps me narrow my decision,” she explained.
Smith’s biweekly meetings with the CISO and CTO may include the CEO and other senior executives. “The CEO wants to be sure there are no surprises, and if there are that we’re well in front of them,” she explained, noting that post-incident, the event is reported to investors and customers along with the mitigation steps taken to ensure it doesn’t happen again.
Aside from these planned meetings, Smith personally intervenes with the InfoSec team whenever a new piece of technology is introduced into the tech stack to safeguard its security prior to implementation. The team also gathers whenever a big attack is in the news. “We diagnose the situation to assess whether we might be at risk and the response taken,” Smith said. “We then report our conversations in our Slack channel, summarizing what happened, our response to it, if we were concerned or not and the action items taken.”
AI Threat
Down the line, Caci at AvePoint said he fully expects to devote more budgeted capital to cyber preparedness and response. “No budget is unlimited, but for us this is a high priority,” he said. “All CISOs want to buy everything under the sun to protect the network and systems but that’s not feasible. We use certain cybersecurity defense products, but educating our people from the most senior levels down to someone who started last week about cyber risk vigilance is just as important as protecting the data.”
Apprised of the Protiviti survey finding that cyber threats will be the top risk to businesses in 2034, Caci was not surprised. “The reason is AI, which multiplies cyber risk by a factor of 10,000,” he said. “Threat actors will use AI to perfect and automate spear phishing attacks. If you’re hit with 10 such attacks today, they’ll escalate to 100,000 in 10 years.”
Certainly, the immensity of this future cyber risk was not in scope during his first stint as CFO. “When I returned to the company a little over two and one-half years ago, I increased the budget for cyber defense and resilience by at least 2x,” Caci said. “We’ll do everything we can to prevent cyberattacks and be in an optimal position to recover quickly, knowing it’s just a matter of when.”
Russ Banham is a Pulitzer-nominated business journalist and best-selling author.