Planning for the cyber inevitable: 8 business continuity insights for CFOs
When it comes to cyber threats, it’s not a question of if; it’s a question of when. With risks rising and regulations shifting, CFOs are increasingly becoming guardians of business resilience. This isn’t just about finances anymore; it’s about keeping operations steady, protecting revenue and ensuring trust in every part of the business.
Recently, Helen Cox, CFO of Macquarie Technology Group, hosted a roundtable discussion alongside Phil Wallace, Head of Business Continuity at Macquarie Cloud Services. The event brought together CFOs from various leading companies to discuss critical aspects of Business Continuity Planning (BCP). Here are the key takeaways that every CFO should know.
1. The CFO’s role in BCP is critical – and growing.
It’s the era of the so-called digital CFO: the responsibilities of many finance leaders now extend well beyond traditional finance. Risk management, once the domain of IT, is now a primary focus for CFOs, too. A solid BCP requires close collaboration between finance and IT to build a shared understanding of the financial and operational impact of a cyber incident. For example, a ransomware attack isn’t just a data risk; it can shut down revenue streams and damage the brand.
The CFO’s expertise in evaluating these financial impacts is vital. By partnering with IT, CFOs can help quantify the real costs of business interruptions and cyber incidents in balance sheet terms, offering a more holistic picture of risk and resilience.
2. Focus your efforts to keep the business running.
One critical aspect of BCP for CFOs is understanding which business functions are essential to keep online and for how long. It’s not one-size-fits-all: eCommerce platforms might prioritise keeping the website functional above all, while a logistics company could prioritise systems linked to their supply chain. Finance teams need to work closely with IT to map these priorities accurately.
CFOs focus on financial metrics like revenue at risk or potential penalties, while IT usually prioritises technical recovery objectives like RTO (Recovery Time Objective) and RPO (Recovery Point Objective). By aligning on these metrics, CFOs can ensure the BCP supports both financial and operational continuity without overextending resources.
3. Balancing preparedness with practicality in your BCP.
Realistic BCP strategies should be cost-effective and sustainable. Ideally, every system would be Tier 1 in a recovery plan – but that’s rarely practical, or affordable. For CFOs, this often means weighing the costs of downtime against the investment in backup measures.
In some cases, temporary manual workarounds, like Excel-based processes, can keep critical functions running during an outage without significant cost. As part of the BCP process, always ask yourself: “Are there areas where we can tolerate minor delays or manual steps to save on recovery costs?”
4. BCP is more than a safety net.
BCP isn’t just about recovering from worst-case scenarios. It can also be a tool to optimise cyber insurance costs. The CFOs at our roundtable discussed how an integrated BCP can actually reduce cyber insurance premiums by demonstrating preparedness and risk mitigation. One participant shared that adopting Macquarie’s Data Vault service as part of their disaster recovery framework helped them avoid paying ransoms, reducing insurance premiums by up to 30%.
With a detailed understanding of potential costs, CFOs can select cyber insurance that complements their BCP, further offsetting expenses associated with cyber incidents.
5. Prevention is better than cure – but plan for both.
A strong BCP starts with prevention. Several CFOs shared their company’s strategies for risk minimisation, like providing employees in high-risk regions with “burner” devices or sandboxed laptops without corporate network access. These proactive measures (as well as developing a really good cyber security strategy with input at the executive level) reduce exposure to cyber risks.
However, incidents can still occur, and having a robust BCP to address these situations is critical. The consensus? Prevention and response are two sides of the same coin, and both need to be reflected in any solid business continuity strategy.
6. Regulation is always a moving target.
For CFOs and board members, keeping up with evolving regulatory requirements is a significant challenge. Government standards and responsibilities for board members are shifting, adding more layers of accountability. Our CFOs emphasised the need to regularly review and update BCPs to align with new laws, like Australia’s Security of Critical Infrastructure Act.
CFOs must ensure that BCPs address the current regulatory landscape while remaining flexible enough to adapt to future changes.
7. BCP is not “set and forget”.
One of the biggest misconceptions is that a BCP is a one-time effort. Instead, it’s a living document that needs regular updates and testing to ensure it stays relevant and effective. CFOs should treat BCPs as dynamic strategies that respond to new risks, technological advancements and business growth.
Our guests at the roundtable agreed that periodic reviews, scheduled tests and continuous validation are essential to maintaining a resilient BCP. This mindset shift – from “tick the box” to active oversight – can and will make a substantial difference in your organisation’s resilience.
8. The hidden risk: Supply chain vulnerabilities.
One participant shared their experience of a cybersecurity audit that overlooked a supplier’s vulnerability, leading to unexpected exposure to a data breach. Supply chain security is a crucial, yet often hidden, component of a resilient BCP. It’s not enough to secure your systems; CFOs must also evaluate the cyber resilience of key suppliers.
Regularly reviewing supply chain contracts to ensure they meet compliance standards can prevent these risks from disrupting your business. Given the rise of third-party dependencies, CFOs must ensure that every link in the supply chain aligns with the organisation’s BCP.
Your BCP is not cyber ready.
Whether it’s caused by a cyber attack or simple human error, a significant IT outage can bring your business grinding to a halt. Business Continuity Planning by Macquarie Cloud Services brings together market-leading advice, support and infrastructure in a single end-to-end service.
We’ll make sure your users, apps, servers and data are always protected and resilient when disaster strikes. Our goal? Making sure that you’re back up and running with minimal downtime, even if the unthinkable occurs.
Let’s make sure your BCP is ready for anything. Reach out to us today at 1800 004 943 or drop us an email at enquiries@macquariecloudservices.com.
