The Importance of Managing Data Risk in the Finance Function

CFOs and controllers play a pivotal role in how companies evaluate and manage data risk. Analyst firm Gartner reports that by 2022, more than 30% of businesses will use financial risk assessments of their data assets to prioritize investment choices for IT, analytics, security and privacy. That needs to include managing data risk in the finance function itself.

With the prolific ways organizations now have to share information, a persistently difficult issue for the Finance team is how to deal with its own sensitive data like financial statements, customer information and personnel records.

The 2021 Financial Services Data Risk Report from Varonis estimates that the financial services industry will suffer the heaviest financial losses from data breaches, estimated at about US$5.85 million per breach.

Lax internal practices are also problematic. Varonis found that, on average, employees in financial services organizations have access to almost 11 million files – and it’s closer to 20 million in larger firms. Almost two-thirds in their survey leave more than 1000 sensitive files open for every employee to access – with 20,000 exposed folders per terabyte of data.

Additionally, outside organizations like banks, vendors and potential M&A candidates may require sharing sensitive data for legitimate business purposes. While laws and policies exist that provide some protection, you never really have certainty as to where data could end up, and you have no ability to control it once it is sent. The information that resides outside of the company’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains it.

Finance Faces Increased Risk

All of this presents enormous risk. Understanding what the risks and potential costs are is an important component of business planning. How would the company react if information was disseminated to the wrong audience? What could it cost the business? It is human nature to think “it won’t happen to me” or to simply assume that a party erroneously receiving sensitive data will act with integrity and delete the information. But the news cycle is filled with examples of breaches; often there is a strong correlation between the event and the value of the company following the news.

The financial risk is typically the cost of lost revenue, cost of litigation, compliance challenges, privacy regulation penalties, and reputational damage. Revenue loss risk and litigation costs risk are tangible impacts that can be measured. What is more difficult to do is to quantify the probability. On that front, having an understanding of your data’s level of vulnerability is important. If you are SOC2 compliant, your risk is going to be mitigated by the controls identified within the internal bounds of your system. However, it is difficult to assess probability for data that leaves your repositories. Internal compliance, including SOC2, cannot address it. Another challenge is that there is a multitude of methods by which to protect assets.

Often times, leaders in organizations think that an increase in spend leads to an overall decrease in risk. That’s not necessarily the case. For example, companies could spend millions on digital rights management (DRM), security incident and event management (SIEM), data loss prevention (DLP) and other network controls, and still become breach victims through an application code vulnerability.

The Need for Data Centric Security

Depending on an organization’s size and industry, cybersecurity can be very complex. New attack methods and new technologies to deal with those attack vectors show up all the time. To maximize efforts at assessing security risk, resources must be allocated so that the most effective tools and strategies like data encryption are being used to protect the most important information assets.

There are some best practices that leaders should follow to manage cyber risk. They should understand where there are exposures in either tools or processes. As technology now permeates across the Finance organization, a strong partnership with IT is critical. An important practice is to understand where sensitive data is stored and how access is provided to parties that need it―most importantly outside parties. Company policies and practices often overlook, or have no direct control, with data that goes outside of the organization so this awareness is important.

Assessing their organization’s cyber risk starts with clearly understanding the company’s risk tolerance. Are you risk tolerant, or extremely risk averse? The answer may differ depending on what needs to be protected. In other words, what level of risk are you willing to accept and still be able to justify and defend to stakeholders? Identifying what the company views as acceptable risk will move it beyond a culture of fear and into one that can focus on execution.