Cybersecurity: CFOs Should Set the Tone at the Top

A recent survey of top executives in the middle market has concluded that CFOs should not assume employees are educated about cybersecurity threats.

The survey – “Cyber and Data Security in the Middle Market” – was compiled using data from 316 online survey responses and 5 in-depth interviews. Focusing on companies with annual revenues of between $25 million and $500 million, the survey first asked what percentage of respondents had their business activities disrupted by cybersecurity issues within the past two years, and then what measures were being implemented to prevent future attacks. Phishing attacks are accelerating in 2017 and the problem will only get worse.

From the responses of the senior finance leaders, it was clear that virtual intrusions are commonplace. Although only 21% of respondents said their business activities were disrupted by hackers in the past two years, 60% admitted having lost time due to dealing with cybersecurity issues, 23% reported a loss of revenue due to a security breach and 19% acknowledged a loss of credibility with customers, suppliers or the public due to an adverse cybersecurity event.

Assumptions about Employee Education Can be Dangerous

One of the key findings of the survey was that more training on recognizing and acting upon cybersecurity threats is required further down the chain of command. CFOs clearly understand the threats from virtual intrusions – 82% agreeing cybersecurity was treated with “appropriate gravity” at the top level of their businesses. However only 24% of respondents felt employees approached cybersecurity with the same level of importance.

Considering that cyberattacks can be targeted at anyone within a business, the conclusion drawn by researchers was that finance leaders should be more pro-active in educating employees, and “set the tone at the top”. That conclusion was supported by findings that only 25% of CFOs feel their employees have access to adequate training and education, and that 46% of CFOs agreed there was room for improvement in their current training regimes.

But Are CFOs Responsible for Setting the Tone?

Most CFOs agree they should have some responsibility for managing cybersecurity. After all, it is often the finance department that suffers the most when a cyberattack is successful. However, only 12% of CFOs center their business´s cybersecurity on the finance function. Most (76%) rely on the IT function to organize strategies and manage risks – although acknowledging it is important for the two departments to collaborate.

One of the most important takeaways from the survey was not to solely trust cybersecurity defenses, but to verify them as well. This is where CFOs can take responsibility and set the tone at the top by testing their business´s own cybersecurity measures, improving access to employee awareness, and reducing the finance function´s vulnerability to cyberattacks by conducting regular audits.

Further Warnings Issued Regarding Tax Season Phishing Scams

The IRS has issued further warnings to payroll and human resources professionals to beware of tax season phishing scams requesting details of company employees.

Despite tax season phishing scams receiving a high profile last year, the IRS has seen a 400 percent surge in phishing and malware incidents so far this tax season – many of the scams targeting payroll and human resources professionals to obtain employee data.

The IRS Criminal Investigation department is reviewing multiple cases in which scammers have tricked people into revealing sensitive data that the criminals can monetize by filing fraudulent tax returns for refunds. The emails appear to come from a high ranking executive and request a list of employees including their Social Security numbers. The IRS released details of three typical tax season phishing scams:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Scammers Targeting Entities outside the Corporate World

The tax season phishing scams are not exclusively targeted towards corporate organizations with large payrolls. In one case being investigated by the IRS, the payroll of the Virginia Wesleyan College was disclosed to an unauthorized third party by a college employee who believed the phishing email was a legitimate internal request. On discovery of the disclosure, college officials immediately notified the FBI, IRS, state taxing authorities, and affected employees.

Within a month – although not promoted by the Virginia Wesleyan College incident – Governor Terry McAuliffe approved amendments to the state’s data breach notification statute. The amendments require employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Notification is required even if the breach does not otherwise trigger the statute’s requirement that the employer or payroll service provider notify residents of the breach.

IRS Warns of New Development in W-2 Phishing Scam

The IRS is warning employers to be aware of a new development in a W-2 phishing scam that combines employee data theft with bogus wire transfers.

The W-2 phishing scam – in which fake emails request details of all employees and their Forms W-2 – first appeared during last year´s tax season. Its objective is to collect data that will assist criminals in committing identity theft and filing fake tax returns.

Due to a greater awareness of the W-2 phishing scam within the corporate world – and more safeguards being introduced to identify phishing emails – the IRS reports that many attempts to scam large-scale employers have been unsuccessful. However, criminals are now targeting other sectors such as school districts, tribal organizations and nonprofits.

The new development the IRS wants employers to share with HR and Finance professionals is that cybercriminals are following up their W-2 phishing scam with a further email requesting a wire transfer to a certain account. Some companies have lost thousands of dollars in addition to disclosing their employees´ tax details as a result of this scam.

How to Report a W-2 Phishing Scam

In order to protect themselves against data theft and financial loss, the IRS is urging all employers to create an internal policy on the distribution of employee W-2 information and conducting wire transfers. Employers are also being asked to forward emails identified as W-2-related scams to with “W2 Scam” as the subject of the forwarded email.

In the event that a W-2 phishing scam is successful, the IRS wants employers to report the theft immediately to the Internet Crime Complaint Center, while employees whose identity may have been stolen (usually apparent when a tax return is rejected because of a duplicated Social Security number) should review the actions recommended by the Federal Trade Commission at

IRS Commissioner John Koskinen described the W-2 phishing scam as one of the most dangerous scams he had seen in a long time. He said: “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Yahoo Verizon Deal Gets $350M Security Breach Haircut

The price Verizon will have to pay to acquire Yahoo has been trimmed by $350 million after revelations of two significant data breaches in 2013 and 2014.

In July last year it was announced that Verizon had won the race to acquire the former web portal juggernaut Yahoo for $4.83 billion. Subject to regulatory and shareholder approval, the deal would see Yahoo integrated with another Verizon acquisition – AOL – to help the telecoms giant become one of the biggest players in the digital marketing industry.

Two months later, news broke that more than 500 million Yahoo accounts had been hacked in a 2014 data breach. In December, worse news was to come when a data breach dating back to 2013 was announced. The breach compromised user email addresses, passwords and dates of birth – data that could allow cybercriminals to locate more sensitive personal information elsewhere online.

Renegotiation of Acquisition Price Saves $350 Million

Following the revelation, the Yahoo Verizon deal was put on hold while the two companies assessed the implications of the data breaches and future possible impact. Negotiations over a revised acquisition price were also delayed by the involvement federal, state, and foreign government agencies investigating the hack; but finally a revised deal has been agreed.

On Tuesday, a joint press released revealed the revised price Verizon will have pay in order to acquire Yahoo is $4.48 billion. Yahoo´s CEO Marissa Mayer described the revised deal as “an important step to unlock shareholder value for Yahoo”. Ms. Mayer added that, despite the delays, the two companies have been working on more than 20 integration tracks to “bring Yahoo’s business into the fold”.

“Fair and Favorable Outcome” for Shareholders

Verizon´s executive vice president Marni Walden described the revised deal as a “fair and favorable outcome”, and although Yahoo shareholders may be relieved by the news, Verizon´s shareholders may be wondering why the haircut did not take more off the deal. Prior to the announcement, speculation existed that Verizon´s acquisition costs could have been reduced by up to $1 billion.

As a result of the announcement, shares in Yahoo! Inc. continued on their upward trend to approaching $46.00 – more than $10.00 above their prize when the Yahoo Verizon deal was first announced last July. The deal is expected to close during the second quarter of the year, with the two companies agreeing to share the legal and regulatory liabilities arising from the data breaches.

A Warning for CEOs and CFOs Everywhere

Although the $350 million haircut could have been a lot worse for Yahoo´s Marissa Mayer, the episode should serve as a warning to CEOs and CFOs everywhere to take a keener interest in their organization´s cyber-strategy. Investigations are ongoing into how the two cyberattacks occurred and, if it were not for Yahoo´s users maintaining their activity levels, the acquisition price could have been much lower.

As a result of the revised deal, Yahoo shareholders will receive about $0.37 less per share. Industry analysts speculated that the result would have been a lot worse for Yahoo shareholders were it not for Verizon deciding that the long-term benefits of the acquisition would be more beneficial than pulling out of the deal altogether.