Management accounting and finance professionals have a role to play in establishing agile cybersecurity response plans that effectively balance the need for transparent communication with shareholders, customers, regulators, and law enforcement while adequately protecting the company. These plans need to explicitly consider responses to cyber threats such as password sharing, phishing, social engineering, malware, and ransomware. In the case of the latter, senior leaders must weigh the pros and cons of paying a ransom to attackers, both the immediate impact and long-term consequences, according to Nick Seaver, cyber risk partner at Deloitte.
A related ethical issue is collecting and analyzing personal and sensitive information only to the necessary extent and where there’s a legitimate purpose for the benefit of the company. This includes considering how to protect the collected data, manage it with third parties, and protect individuals’ rights to be forgotten and to privacy in some jurisdictions, Seaver notes.
Ensuring that network monitoring activities are proportional to the risks and are conducted with a well-defined and legitimate purpose, such as detecting insider security threats or ensuring policy compliance, has an ethical component to it as well. Seaver says to consider whether you need to communicate the purpose and extent of monitoring to employees, how to monitor computer usage in a fair and unbiased manner, how to avoid practices that could lead to discrimination or unjust treatment of individuals, and how to balance the need to monitor network activity to protect the company with respect for employees’ privacy rights.
It’s important to conduct responsible ethical hacking assessments to identify and address potential weaknesses in information systems and networks with the appropriate consents and in compliance with relevant laws and regulations. In addition, it’s vital to notify affected parties of any vulnerabilities in a timely and responsible manner and consider how long they need to address the issue before public disclosure for the greater good.
It’s often necessary to make ethical decisions when responding to cyberattacks, such as whether to engage in active defense measures, share information with law enforcement, or negotiate with attackers about ransom payments. The potential consequences and legal implications of each decision should always be considered.
“Research vulnerabilities and develop exploits, ensuring that the discovery and development are conducted ethically, with a focus on enhancing security and minimizing potential harm to individuals, organizations, and critical infrastructure,” Seaver says. “Balance the need for sharing knowledge to improve security while avoiding intentionally or inadvertently allowing malicious attackers access to high-risk exploits.”
Ethics and Cybersecurity Go Hand in Hand
Addressing potential security risks posed by employees or contractors, aka insider threats, in an ethical manner, respecting privacy rights while implementing necessary controls, and monitoring measures should all be on a professional’s checklist. Other considerations include balancing network monitoring so activities are proportionate to the risks to the company and deciding whether employees need to be informed of the monitoring, Seaver says.
“Conduct authorized security assessments and penetration tests, ensuring that these activities don’t inadvertently cause harm, violate legal guidelines, or infringe upon the rights of system owners and users,” he says. “Decide when and how to disclose discovered security vulnerabilities while considering the potential risks and benefits, such as providing affected parties time to patch [them] before public disclosure and the possibility of malicious hackers exploiting the vulnerability once disclosed.”
Cyber incidents and responses can have severe financial implications, including operational disruption, regulatory fines, and reputational damage. The ethical challenges faced by cybersecurity professionals in managing incident response and disclosure are also relevant to finance teams, which need to consider the financial impact of a cyberattack and make difficult decisions around uncomfortable aspects of cyberattacks such as ransomware payments, Seaver notes.
“The finance function typically handles sensitive financial information and needs to work with cybersecurity professionals to ensure it’s adequately protected, including personal data privacy considerations and regulatory compliance,” he says. “The finance function is particularly susceptible to insider threats and fraud, which could lead to significant financial losses or reputational damage.”
Finance and cybersecurity professionals need to work together to address these risks ethically and effectively, aligning with the CFO’s responsibility to maintain financial integrity and safeguard the company’s assets. CFOs are responsible for managing financial risks, which includes agreeing on resources for cybersecurity investments. Cybersecurity professionals need to work with the CFO and other accounting and finance professionals in prioritizing risk mitigation investment decisions that balance security, risk reduction, and budgetary constraints.
Professionals’ Ethical Obligations
Adhering to the highest standards of professional integrity and honesty, avoiding conflicts of interest, and reporting any unethical activities or security breaches promptly and accurately form an ethical foundation for management accountants and cybersecurity professionals alike, Seaver says. Be transparent with senior management about potential risks and vulnerabilities within the organization.
Another important obligation is helping to safeguard sensitive information, including client data, and ensuring that the organization has controls to prevent unauthorized disclosure, modification, or access. Organizations must respect the privacy rights of colleagues, clients, and the public, and adhere to industry-specific regulations and standards.
“Foster a secure environment within the organization by implementing robust security measures, learning from cyber incidents or near misses, and promoting a culture of security awareness and ethical behavior among colleagues,” Seaver says.
Companies should continuously develop and maintain professional cybersecurity expertise and stay informed about emerging threats, vulnerabilities, and best practices specific to the industry, he says. It’s also important to share this knowledge with colleagues as appropriate to help strengthen the organization’s security posture.
“Act responsibly when discovering security vulnerabilities, adhering to responsible disclosure guidelines, and work with affected parties to address an issue before publicizing it,” Seaver says. “Balance the need for strong security measures with the ethical obligation to respect individual privacy rights, avoiding overly invasive surveillance or monitoring practices.”
Cultivating an Ethical Culture
Finance leaders can set the right tone by emphasizing the importance of ethics and cybersecurity and demonstrating commitment through their actions and decisions. This includes allocating appropriate resources to cybersecurity initiatives and adhering to cybersecurity policies.
“Visibly participate in organizational cyber training and education, encouraging collaboration between accounting/finance and cybersecurity professionals, and foster a cross-functional understanding of ethical challenges, cybersecurity risks, and cyber budget challenges,” Seaver says. “Foster an environment of open communication where employees feel comfortable discussing ethical dilemmas, reporting potential security incidents, and sharing ideas for improvement.”
A key part of cyber training and education is encouraging employees to report cybersecurity concerns and ensuring that reports are taken seriously and addressed promptly. Also, rewarding employees who exemplify ethical behavior and contribute to the organization’s cybersecurity efforts can strengthen an ethical culture.
“A strong culture of ethics as it relates to cyber can absolutely increase an organization’s level of cybersecurity,” Seaver says. “While having robust technical defenses in place is essential, in cybersecurity, more often than not, humans are the weakest link.”
When employees are committed to ethical behavior, they’re more likely to follow good cybersecurity practices such as not sharing passwords and spotting phishing emails, report potential security concerns, and take a proactive approach to protecting the organization’s assets and reputation. This, in turn, can help to reduce the likelihood of security incidents and minimize the potential impact of any breaches that do occur.
October 2023