The voice of the ASEAN people

INSIDE·ASEAN

Connecting ASEAN with the World

Philippines

Cybersecurity: A Critical Concern for CFOs in the Philippines

As cyber threats evolve, CFOs in the Philippines are increasingly prioritizing cybersecurity as a core business issue, emphasizing its impact on revenue and trust.

By Paolo Mercado5 July 20264 min read
Cybersecurity: A Critical Concern for CFOs in the Philippines

In recent years, the perception of cybersecurity has undergone a significant transformation, particularly among chief financial officers (CFOs) in the Philippines. Traditionally relegated to the IT department, cybersecurity is now recognized as a fundamental business risk that demands attention at the highest levels of corporate governance. Sunil Golecha, finance chief for Japan and Asia-Pacific at Palo Alto Networks, notes that nearly every CFO he encounters now ranks cybersecurity among their top three concerns when engaging with the board.

This shift in perspective aligns with a joint statement issued on June 22 by the cybersecurity agencies of Australia, Canada, New Zealand, the United Kingdom, and the United States—collectively known as the Five Eyes. They emphasized that cyber risk “can no longer be treated as a purely technical issue,” underscoring its status as a core business risk and a leadership responsibility. This sentiment echoes the views of Bernadette Nacario, country manager for Palo Alto Networks in the Philippines, who highlighted that cybersecurity is no longer merely a technical cost but a matter that affects revenue, customer trust, and overall enterprise value.

The urgency of addressing cybersecurity is further illustrated by the rapid pace of cyber intrusions. Philippa “Pip” Cogswell, managing partner for Unit 42 in Japan and Asia-Pacific, reveals that the fastest intrusions can transition from initial compromise to data exfiltration in approximately 72 minutes—outpacing many companies' ability to respond effectively. This reality necessitates that cybersecurity be elevated beyond board-level discussions.

“Cyber risk can no longer be treated as a purely technical issue.”Joint statement by Five Eyes cybersecurity agencies

As CFOs engage more deeply with cybersecurity issues, they are confronted with critical questions regarding the measurement of return on security investment and the challenge of assuring the board of the company’s security posture. Golecha points out that many CFOs struggle to ascertain how much their organizations spend on cybersecurity, with research indicating that the average enterprise utilizes around 83 security tools from 29 different vendors. This fragmented approach often obscures visibility into security expenditures, complicating financial oversight.

To address these challenges, Golecha advocates for a consolidation strategy, wherein organizations streamline their security vendors to enhance visibility and manage risk more effectively. However, he acknowledges that this approach also concentrates risk, as reliance on fewer suppliers can lead to vulnerabilities. The fundamental issue, he asserts, is not necessarily insufficient spending on security but rather a lack of clarity regarding where that spending is allocated.

“Most CFOs cannot say how much their own company spends on security.”Sunil Golecha, finance chief, Palo Alto Networks

When considering return on investment, Golecha draws parallels to actuarial analysis used by insurers, suggesting that CFOs should evaluate the financial implications of inaction. For instance, he poses the question: if a company’s systems were to go offline for 30 minutes, what would be the financial repercussions? The answer varies significantly based on the nature of the business and its reliance on digital operations.

For publicly listed companies, the stakes are particularly high. Golecha notes that large firms can experience a loss of 15 to 20 percent of their market value within days of a significant cyber incident, translating to billions in losses. Additionally, in many jurisdictions, directors may face personal accountability if a breach is linked to their failure to meet fiduciary responsibilities, further emphasizing the necessity for cybersecurity to be prioritized at the board level.

In the Philippines, where the majority of businesses are small and medium-sized enterprises (SMEs), the implications of cybersecurity are even more pronounced. Golecha estimates that a defensible cybersecurity budget should be less than 7 percent of revenue for brick-and-mortar businesses, while online enterprises may need to allocate over 10 percent, depending on their exposure. For companies integrating artificial intelligence (AI), he recommends dedicating 8 to 10 percent of the AI budget to security measures, a step that many organizations overlooked during the pandemic-driven rush to cloud adoption.

“A breach can end the going concern assumption for a company.”Sunil Golecha, finance chief, Palo Alto Networks

For smaller businesses, which often lack extensive resources, Golecha advises a straightforward checklist: control access to systems, secure employee devices, protect web browsers, and safeguard cloud services. He emphasizes the importance of identity management to prevent unauthorized access, highlighting that even small businesses are not immune to cyber threats.

Ultimately, the rationale for investing in cybersecurity is survival. Golecha invokes the concept of a 'going concern,' the assumption that a company will continue its operations indefinitely. A cyber breach can jeopardize this assumption, particularly for smaller enterprises that may lack the resilience to withstand prolonged disruptions. As he illustrates, even a modest coffee shop with a customer loyalty database can become a target for attackers, underscoring the necessity for all businesses, regardless of size, to prioritize cybersecurity.