Cybersecurity pressures stretch CFOs

By Alexei Alexis for CFODive.com

When Seth Cohen started his career in corporate finance as an analyst at Lehman Brothers, it was long before the internet exploded into a worldwide phenomenon.

Back in those days, nearly four decades ago, floppy disks and dot-matrix printers were still popular information technology tools.

Today, the internet is now deeply interwoven into daily business operations across the U.S. economy, serving as a major driver of growth and productivity while also posing a host of challenges, including cybersecurity and — in some cases — national security risks.

It’s one of the most important issues facing modern finance leaders, according to Cohen, who was recently named CFO of San Diego, California-based DMK Pharmaceuticals.

“Now, I think we’re joined at the hip with the IT department,” he said in an interview.

Cohen, 61, was appointed to his new role as part of a senior management shakeup designed to quickly turn around sales for two struggling drugs: Zimhi, used to treat opioid overdoses and Symjepi, used for acute allergic reactions. The company’s net revenue plummeted to just $9,062 in the third quarter ending Sept. 30, compared with $1.5 million for the same period in 2022, according to results released last month.

On top of these pressing financial concerns, Cohen is also focused on ensuring the company will be in compliance with new cybersecurity rules from the Securities and Exchange Commission. Among other requirements, public companies must disclose any “material cybersecurity incidents” to the agency on form 8-K within four days of determining that it was a material breach.

The new rules, which build on prior guidance, went into effect in September, with enforcement scheduled to begin this month. As of Dec. 18, all covered entities other than smaller reporting businesses are required to comply with the new breach disclosure mandates. Smaller reporting companies will be subject to them as of June 5 of next year.

Since the rules were finalized over the summer, public companies have been scrambling to make sure they have the appropriate policies and procedures in place for compliance.

“I guess December is going to be cybersecurity month at DMK,” said Cohen, who served as director of the Office of Pensions and Public Finance for the New York City mayor’s office in the 1990s under Rudy Giuliani. “We will be ready.”

Meanwhile, as companies prepare for the new rules, they’re already seeing ramped up cybersecurity enforcement from the SEC and other federal agencies.

“The stakes are high for CFOs because they include the possibility of being charged by the SEC or other government regulators as well as being sued in shareholder litigation and other private actions,” said Danette Edwards, a partner at Katten Muchin Rosenman and co-chair of the law firm’s Securities Enforcement Defense practice.

In recent years, the rapid escalation of cyberthreats — combined with related costs, business risks, and regulatory demands — has contributed to a growing set of pressures weighing on the office of the CFO.

“This is like one more thing being added to the pile of complexity — rising interest rates, talent shortages, and everything else,” said Josh Schauer, vice president of finance at Raleigh, North Carolina-based insightsoftware, which provides financial reporting and enterprise performance management software. “The last few years have been kind of a wild ride.”

Job creep has been a major source of stress for CFOs, especially given that their core tasks related to earnings reports and finances have not waned, as previously reported by CFO Dive. 

A 2022 survey by finance software firm Datarails, which is headquartered in New York, found that most CFOs (81%) believed they were suffering a more intensive day-to-day workload compared with all of their C-suite colleagues.

“Years ago, the CFO led teams that mostly prepared reports on historical financial results and set limits on spending,” said Steve Vintz, CFO of Columbia, Maryland-based cybersecurity company Tenable. “While that’s still part of the role today, now CEOs, boards, investors and others increasingly expect CFOs to be value-added business partners who can provide greater insights on the business and help best position the company for success.” 

The trend is showing no signs of slowing down, with technology issues in particular demanding more and more of CFOs’ time and focus.

In a Grant Thornton survey unveiled in July, cybersecurity and digital transformation topped the list of areas where CFOs expected to increase spending over the subsequent 12 months.

 

“I think the reason cyber is getting increased attention is because of the very real business ramifications,” said Christopher Hodson, chief security officer at data security company Cyberhaven. “And I think it’s increasingly landing on the CFO because they’re ultimately the ones who are trained in business risk.”

MGM Resorts disclosed in early October that it expected a cybersecurity breach it reported in September to impact the company’s third quarter financial results by about $100 million.

“We remain confident that the losses will be covered by our cyber insurance,” MGM Resorts CFO Jonathan Halkyard said during an earnings call last month.

The global average cost of a data breach between March 2022 and March 2023 was $4.45 million, a 15% increase over three years and an all-time high, according to a report published by IBM in July. Detection and escalation costs jumped 42% during the same period, representing the highest portion of breach costs, and indicating a shift towards more complex breach probes, the research found.

Destructive attacks that left systems inoperable accounted for one out of every four attacks, and another 24% involved ransomware, which involves a criminal’s use of malicious software to prevent companies from accessing their own computer files, systems or networks until a ransom is paid. Such attacks can also involve a threat to leak sensitive data to the public internet.

A White House report released in March identified ransomware as a national security threat. The document argued that some businesses weren’t sufficiently pulling their weight in the fight against cybercriminals, and it called for regulatory measures such as expanding minimum cybersecurity requirements in “critical sectors.”

“This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace,” President Joe Biden said in a statement included in the report. “It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.”

In one high-profile incident that has drawn scrutiny from the SEC, software provider SolarWinds disclosed in 2020 that it suffered a cyberattack against the company’s Orion software platform. The attack, which is suspected to have been committed by a group backed by the Russian government, impacted U.S. agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Department of Treasury, as well as major private companies, including Microsoft, Cisco, Intel, and Deloitte, The Wall Street Journal reported. 

The Government Accountability Office has said the breach is “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.”

In October, the SEC sued SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to the attack. The Austin, Texas-based company has denied the charges and vowed to mount a defense in court.

“This case should be a wake-up call for all executives,” Tenable’s Vintz said.

Both Brown and the company’s CFO, J. Barton Kalsu, were put on notice during the agency’s investigation that they could face charges. While Kalsu ultimately wasn’t named in the suit, that doesn’t necessarily mean that CFOs in general can expect to easily get off the hook in such cases, according to legal experts.

“I think it’s going to be a fact-specific inquiry in every case,” Edwards said. One way that CFOs can mitigate personal liability risks is by documenting their justification for decisions such as rejecting a CISO’s request for increased cybersecurity funding, she said.

Cara Peterman, a partner in Alston & Bird’s Securities Litigation Group, recommended personal risk mitigation strategies such as: reviewing company bylaws and other corporate documents to make sure they provide for the fullest extent of indemnification permitted in the state where the organization is incorporated; reviewing directors and officers liability insurance policies to make sure they provide sufficient coverage; and building an ongoing relationship with the general counsel’s office.

“Generally speaking, you don’t want to be caught in a position where there’s not that ongoing relationship, and all of a sudden, you’re dealing with a breach and having to talk about these issues for the first time in the midst of all of that,” she said.