Why should a CFO support a cybersecurity awareness program?

A Cybersecurity awareness programs is designed to broaden employees' views on the risks involving information and communication technology (ICT) assets. Although the main supporters of this type of program are usually information security professionals, the truth is that almost all departments can benefit from this awareness.

In the case of Chief Financial Officers (CFOs), the cost of cybersecurity awareness programs becomes a factor that needs to be considered. There's always a bit of uncertainty on whether any investment in the program is worth it.

Another more direct question involves the impact the awareness program has on the organization's purchasing and finance departments. 

In both cases, there are reasons for the CFO to also embrace the awareness program.

Return on investment

Calculating the return on investment in security can be challenging, but a study by Osterman Research consulting firm has created a model that considers the following criteria: 

• Losses from cyberattacks and outages;

• Loss due to maintenance and repair of minor and major events;

• Cost of the awareness program;

• Employee salary and cost for them to take part in the program;

The study estimated returns between 69% and 562%, depending on the size of the organization and type of security incident. The variation is rather significant because the calculation differs according to changes in each factor considered and in the probabilities and losses attributed to the events.

Certain factors were not even considered by the study, such as cyber risk insurance. Some insurers look to see if there is a robust awareness program to calculate the premium. Therefore, companies taking out this type of insurance can directly benefit.

If the CFO takes legal compliance and financial governance issues into account, there are even more key points. In the United States, the SEC – the authority responsible for regulating companies that have shares listed on stock exchanges, such as the CVM in Brazil – adopted a rule in 2023 that requires documentation on the measures taken to prevent security incidents. The regulators' believe that the risk management and cybersecurity program can influence decisions by investors.

In Brazil, the General Data Protection Law (LGPD, in Portuguese) also requires companies to provide instructions to employees on protecting personal data, so dropping an awareness program could lead to a legal setback in incident-related actions. In Europe, the General Data Protection Regulation (GDPR) contains similar provisions.

Even if the company does not have to follow these rules itself, customers and partners may require an awareness program in their supply chain. In these cases, the awareness program boosts the company's market.

Financial fraud

Another relevant aspect for CFOs is the excessive volume of cyber fraud that specifically impacts financial activities.

Business Email Compromise (BEC) is a type of scam in which the criminal impersonates a company executive or supplier to convince an employee to make a payment to a fake entity, often using a cloned or forged invoice. If the employee is unaware of the deception, the damage to the company can reach millions of dollars.

These BEC scams have already caused over $50 billion in direct financial damage, according to FBI calculations that primarily account for reports from companies in the United States. Market estimates suggest that the total damage caused by cybercrime worldwide – in addition to lost revenue from outages, data theft, and recovery costs – is expected to reach $10 trillion by 2025 and $23 trillion by 2027.

From prevention to response

Awareness programs are most successful when there is overt support from management. This helps promote changes in the company's culture that support the decision-making of other employees and provide the security needed so they can notify colleagues or managers about suspected fraud, including when they themselves make mistakes.

The security process includes prevention, detection and response, and it's a misconception to only evaluate the preventive nature. Even if it's difficult to prevent all attacks, the awareness program increases the company's resilience and increases the chances that fraud will be detected and contained earlier, thereby mitigating losses.

This is why the CFO's support is so crucial in ensuring that their staff adheres to the program, allowing the company to obtain the benefit and expected return throughout the information security cycle.