New cybersecurity CPA focus shines spotlight on risk for CFOs: Sysdig

Today’s finance professionals are being asked to do more in a world where key aspects of business are being conducted online. As they move into the changing finance space, aspiring certified public accountants will now be required to choose from three disciplines to demonstrate deeper knowledge when taking the CPA exam, including business analysis and reporting, information systems and controls, and tax compliance and planning.

The addition of the ISC discipline, which broadly covers cybersecurity-related skills, is “a general reflection of the way that the finance role has changed,” said Karen Walker, CFO of cloud security provider Sysdig. Walker joined the San Francisco, California-based company in December 2021 and has held key executive financial roles for companies including Pandora, Uber Technologies and Virgin America, according to her LinkedIn page.

“I think there is still a very big skill set gap in cybersecurity,” Walker said in an interview, pointing to the emergence of new technologies and a need for skilled talent that can operate in a digital world effectively. “So I think those are the secular tailwinds and the setup for why I believe the AICPA basically came up with this standard, because it's just going to become a bigger, more important thing.”

Addressing the cybersecurity skills gap

The ISC discipline — which concerns information systems and data management-related skills — will be included as part of the updated CPA examination in effect January, according to information from the American Institute of Certified Public Accountants.

Cybersecurity is landing on the updated CPA exam as companies face not only a shortage of qualified accountants, but a growing threat of cyberattacks such as ransomware, a form of malware which has bled a collective $449.1 million from companies this year as of June, CFO Dive previously reported.

The emergence of generative AI and associated challenges with data privacy and security is another trend shining a spotlight on digital threats, with finance leaders also facing regulatory pressures. The Securities and Exchange Commission recently issued new cybersecurity rules requiring companies to disclose any material breach within four days of determining one has occurred, for example, with CFOs and their IT counterparts scrambling to ensure their companies are in compliance before the agency begins enforcing the regulations on Dec. 18, CFO Dive previously reported.

Companies are also adopting new technologies quicker than ever, with bad actors hot on their heels — meaning businesses must ensure they not only have the proper tools, but also the proper talent to respond to these types of growing threats accordingly.

Given these trends, that the CPA exam has added its cybersecurity discipline is not a surprise; the risk profile is “greater than it’s ever been,” Walker said.

The introduction of new technologies like GenAI is also going to fundamentally change the way finance and accounting professionals work, meaning CFOs will need to reconsider the type of skill sets they need in their finance function to remain effective and competitive.

“When you think about the fact that you could really be leveraging generative AI for forecasting or for closing the books, it doesn't mean that it's a set it and forget it,” Walker said by way of example. “You're going to always need to understand, ‘what are the assumptions that went into the model? Does it make sense?’ But that might require a different skill set, a more analytical skill set, a more tech savvy skill set altogether.”

Speaking the language

Responding to the ever-changing cybersecurity landscape means CFOs will need to “connect with their counterparts in IT and CISOs and understand their language,” Walker said, referring to chief information security officers. “And I think the same [goes] for CISOs…they're also going to need to understand the language of finance.”

For example, many companies are creating specific risk committees to address new cyber challenges, something that has become more of a priority with the introduction of the SEC’s new rules. While the SEC has had prescriptive guidance on cyberattacks since 2011, the rules coming into effect next week have caused many companies to take new looks at their processes and controls, and it’s critical to ensure they are doing so with both a financial as well as a technical eye.

“I think one thing people are grappling with is, ‘okay, security professionals don't really understand what's material,” Walker said of the SEC’s new cyber disclosure rules. “Finance has been living with this definition of materiality and understanding what it means through the lens of other financial disclosures.”

By bringing that cybersecurity element into the CPA exam, “it's just going to make these finance professionals more capable of dealing with what is increasing risk,” she said.

As IT and finance responsibilities overlap, the controls and the communications between the two fields are the things “that are going to really need to change,” Walker said. Finance professionals may not need to have the deeply technical understanding of a CISO or CTO, but “they do need to understand the risk profile,” she said.

For instance, one of the things that executives need to consider when evaluating if something is material is what the company’s most valued assets are — the “crown jewels,” so to speak. If there is a data breach, CFOs need to be able to determine what data was stolen and what is most important or critical for the business, Walker said.

“That's not something that they can just say, ‘Well, someone else will worry about that,’” she said. “They need to really actually understand that, and understand all of the controls and process around that.”