Professional ethics means holding yourself and your organization to a high standard of conduct, such as aligning with the principles outlined in the IMA Statement of Ethical Professional Practice. In addition, professionals are tasked with protecting their organization from bad actors. That includes dealing with cybersecurity risks and challenges, especially since corporate boards often expect the CFO, finance manager, or controller to oversee not just the finance function but also IT responsibilities and controls. Those responsibilities have a strong ethical component. The IMA Statement dictates that professionals uphold the principles of competence, confidentiality, integrity, and credibility in their own conduct and do whatever they can to protect their organization’s stakeholders from unethical individuals who violate those principles.
RISING COSTS
The stakes couldn’t be higher. While the average cost of a data breach was relatively stable pre-pandemic, averaging around $3.86 million annually since 2015, as COVID-19 spread worldwide last year, the cost of being hacked increased by almost 10%, which was the highest year-over-year rise ever, according to IBM. Cybersecurity Ventures predicts that damages from ransomware attacks, where cybercriminals steal companies’ data and hold it hostage unless they’re paid a ransom, will surpass $20 billion this year—57 times more than it was in 2015, which would make it the fastest-growing type of cybercrime.
Catastrophic financial risks aside, strong cybersecurity is necessary to maintain stakeholders’ trust in an organization and confidence in its digital infrastructure and controls while reinforcing fundamental values such as equality; fairness; protection from reputational, economic, and emotional harm; data access rights; and privacy or confidentiality.
Despite technological approaches such as encryption, secure sockets layer, digital IDs, and firewalls, cybersecurity is becoming more of a daunting challenge because cyberattacks, which often breach employees’ and other stakeholders’ confidentiality, are becoming more sophisticated. Unethical cybercriminals deploy scripts that are better at mimicking human behavior to deceive ethical individuals.
In addition to the surge of ransomware attacks, a fraud trend that emerged during the pandemic was the increase in the percentage of cyberattacks that had correct credentials at login. This could be related to the increase of phishing scams related to COVID-19. Breaches that expose user data—a clear, gross violation of the principle of confidentiality—are a common occurrence.
COLLABORATION IS KEY
While it’s imperative that the IT team keeps cybersecurity top of mind, finance professionals should also keep it on their radar screen to fulfill their obligations to protect their organization’s stakeholders from fraudsters. To combat fraud effectively, interdepartmental communication, especially between the finance function, risk management specialists, compliance officers, and IT professionals, can help a company tremendously. In addition to regular reminders about the organization’s code of conduct/ethics, it’s important to share information about controls and fraud-prevention initiatives with personnel across the organization.
Every department has its own goals, but everyone should share the same goal of protecting themselves and their organization from cybercriminals. Working toward that objective must be a collaborative cross-departmental effort that’s grounded in ethics and cybersecurity best practices.
LOOK FOR RED FLAGS
Be on the lookout for red flags indicative of a potential cyberattack. Well-prepared fraudsters attempt phishing scams that try to install malware into computers to steal individuals’ personal data, take control of their machine, or convince them to make a payment. They may send a preliminary plaintext email without any suspicious files or links to trigger a response from the receiver. The victim responds, and now the attacker knows that the recipient exists, what the email format looks like, the signature design, and so on.
If there’s fraud such as an account takeover attempt, then this would impact the finance function. For example, if your platform has a user account that’s breached and its value such as rewards or a balance stolen, then accounting professionals would have to reconcile the losses.
It’s important that companies only store the sensitive data they need to do their jobs and anonymize it whenever possible to minimize cyberfraud risks. The less compromising data a company holds, the less damaging a potential breach will be. Keep in mind that some of these can occur due to data breached from vendors or partners, so vetting their cybersecurity controls is important too.
Leaders may have to assess whether their organization’s code of conduct needs to be updated to include cybersecurity issues. For example, the Information Systems Security Association has a code of ethics. While such a code is necessary, no such list can encompass all scenarios that people may face. Thus, professionals must reflect on the risks, benefits, trade-offs, and stakeholder interests related to each individual case and make a well-reasoned ethical judgment about the best course of action.
Even companies with strong controls and robust ethics, risk management, and compliance programs sometimes fall short when it comes to their cybersecurity initiatives and be victims of a cyberattack involving a data breach, after which they must fulfill ethical and legal obligations. For one, the cybersecurity incident must be reported promptly, notifying anyone whose data or credentials were stolen. Leaders who are fearful of lawsuits, reputational damage, and questions about their company’s ethical standards may delay disclosure of a cyberattack, but that leaves stakeholders vulnerable to further damage such as identity theft and financial losses. When your company’s data is compromised, delaying a public announcement is unethical and only exacerbates the negative consequences.
When it comes to cybersecurity, it would behoove finance professionals to think beyond their own role and personal ethical conduct to consider how they can protect themselves and their organization from external threats, including cybercriminals. Prioritizing cybersecurity to ensure the confidentiality of the data that your organization collects from all of its stakeholders is an ethical mandate.
September 2021