×

Uber hack shocker highlights No. 1 external risk cited by CFOs

  • On Wednesday, Uber disclosed a huge hack involving 57 million customers and drivers — and a ransom of $100,000 it had paid to keep the cyberattack quiet.
  • Hacking is now the No. 1 external risk factor cited by corporate CFOs on the CNBC Global CFO Council.
  • Consumer demand and other external risk factors typically cited by CFOs have waned as the global economy strengthens.
Uber's new CEO, Dara Khosrowshahi, replaced Travis Kalanick. On Wednesday, Nov. 22, an Uber hack involving 57 million customers and drivers was revealed. Under Kalanick, the company had hidden the hack for over a year and paid a $100,000 ransom.
Drew Angerer | Getty Images
Uber's new CEO, Dara Khosrowshahi, replaced Travis Kalanick. On Wednesday, Nov. 22, an Uber hack involving 57 million customers and drivers was revealed. Under Kalanick, the company had hidden the hack for over a year and paid a $100,000 ransom.

On Wednesday it was revealed that Uber had hidden a hack involving 57 million customers and drivers for over a year and had paid a $100,000 ransom to hackers. But that sum may be a drop in the bucket compared to what chief financial officers of corporations are fearing that hackers may demand in the future. For the first time, CFOs surveyed this quarter by CNBC cited hacking as the No. 1 external risk factor their corporations face.

Corporate concerns about hacking have been rising for some time as the number of hacks hitting major companies and the scope of the compromised sensitive information has grown, most recently with Equifax.

Just under 28 percent (27.9 percent) of CFOs surveyed by CNBC said that hacking is now the biggest external threat they face. That was well ahead of consumer demand as a risk, which was second in the fourth quarter among risk factors cited, at 18.6 percent.

"For the first time, our own data this year also showed cybersecurity becoming the top concern of compliance officers ... superseding bribery and corruption, which is typically a more prominent worry," said Carrie Penman, chief compliance officer for ethics at compliance software company NAVEX Global, which conducts an annual study of cybersecurity. Penman said CFOs and other corporate officers face a hurdle in getting their corporations to realize the scope of the hacking threat. "One weak spot CFOs are contending with is the board, where our data shows only a quarter of organizations include specific training on cybersecurity for directors."

Speaking at the Cambridge Cyber Summit earlier this year, White House Cybersecurity Coordinator and former National Security Agency official Rob Joyce said, "By any measure you want to use ... [the] trend line is going the wrong way. Whether you look at breaches, whether you look at criminal activity, whether you look at nation-state activity or even, you know, the sanctity of our elections, we've got to worry."

Speaking about how the private sector will deal with hacking, Joyce said they can make no excuses once they are handling private information. "If they're entrusted with our personal information, if they're entrusted with national security information, yeah, it's their obligation. They've got to do the right things." He added, "It's really clear that if you don't pay attention to cybersecurity and you're a manufacturer, you're a vendor, you are going to quickly lose your market share."

Average cost of a corporate data breach is $3.62 million, according to the latest annual Cost of Breach study from the Ponemon Institute, and affects more than 24,000 accounts. Ponemon found that the highest cost of lost business is in the United States, at more than $4 million per hacking incident. The cost per breach was down year-over-year in the 2017 study, but the number of hacked accounts are growing per incident.

The good news: Other risk factors have declined

The CFO survey reveal about the rise in fears about hacking does include a silver lining. Hacking has risen to the No. 1 external risk because more typical C-suite concerns about the economy and business conditions have declined as global growth booms. Consumer demand, which was the No. 1 external risk cited by CFOs in the third quarter (34.3 percent), was almost halved in Q4. The absolute percentage of CFOs citing hacking as the biggest risk factor was slightly higher in Q3 (28.6 percent), but it was still well behind consumer demand among the risks cited.

The "synchronized global growth" that has been a recent narrative in the markets and has made corporations less concerned about core business factors like demand was also evident in other findings from the CNBC Global CFO Council survey. CFOs described conditions in seven of the 11 global regions as "improving" in the fourth quarter. Across the previous three quarters of 2017, the highest number of regions cited as "improving" in condition was four.

In the first quarter of 2017, after Donald Trump's election as President of the United States, hacking was No. 5 among external risks cited by CFOs, behind not only consumer demand but also U.S. trade policy and the U.S. dollar.

"Whether consumer demand is strong or not, these results are consistent with the spike in concerns we are seeing among the chief compliance officers, general counsel and human resources officers working with CFOs and their boards," Penman said.

More CFOs are worrying about hacking than anything else right now — and unlike economic cycles and peaks and valleys in consumer demand, and a political election season — it's a risk that's here to stay.