Chief financial officers are increasingly becoming an essential part of the conversation about data security, a topic much discussed today as businesses rely more on collection and analysis of “big data” for various aspects of their operations.
It only makes sense that CFOs are deeply involved in data management, since their primary responsibility is to safeguard company assets, and “assets very often include a lot of data, which are very important for the company,” said Jim Sorensen, a partner at Irvine-based Hardesty LLC, a nationwide executive search firm that specializes in financial executive roles.
Sorensen, a finance veteran of more than 30 years, worked as CFO of several businesses before joining Hardesty, through which he held finance chief assignments at a number of companies. Recent assignments include businesses in the energy and healthcare sectors.
Big data can include corporate financial details; customer and vendor-relationship information; medical records; and other sensitive material, said Sorensen, who noted the growing number of firms across sectors that rely on cloud-based data storage services, which can be susceptible to hacking and viruses, among other risks.
The banking industry, for instance, considers data security “a mission-critical aspect” of its business, said Curt Christianssen, CFO of Costa Mesa-based Pacific Mercantile Bancorp. He is also CFO of Irvine-based Carpenter & Co., a bank advisory and private equity firm that owns Pacific Mercantile.
“Immense trust is placed on banks by their customers, not only in safeguarding the funds they place on deposit but the personal information they are required by government regulation to provide to banks in order to establish an account,” Christianssen said. “Keeping our clients’ money and personal information safe and secure is a cornerstone of our business.”
Pacific Mercantile maintains executive committees that focus on operational risks and information technology.
“Oversight and management of data security issues [are] a key charter of these committees, and I as the CFO am a member of those committees,” he said. “As we manage change in our business and within the industry itself, we evaluate the impact on every area of the business, which almost always includes an aspect of information technology and data security. The CFO role here at Pacific Mercantile Bank is integrally enmeshed in this process.”
Data security is particularly pertinent for those whose core business is big data.
It “underpins everything we do as a company,” said Scott Wheeler, CFO of Costa Mesa-based Experian North America, which is part of Dublin, Ireland-based global information analytics firm Experian PLC. The company provides credit reports and scores, as well as other personal and business services.
“From day one on the job, every employee is trained and educated on the importance of their role in protecting consumers and the information they entrust with us,” Wheeler said. “It’s what our clients pay us to do and trust us to do—protect the data we hold and use it in the most beneficial way for consumers and businesses alike.”
Wheeler said data security is integral to his position.
“More and more of my time is focused on allocating resources of people and capital [toward not only] the growth of the business but also to protecting the business from the various risks and threats that arise. Whether it’s working with our risk management teams, internal audit, compliance, or our technology and development teams, they all have a significant role to play in protecting our environment, and it’s my job to help them with the tools and resources they need to be effective.”
Experian has a market capitalization of about $17.2 billion. The company had $4.8 billion in revenue for the year through March 2014, with half of it coming from its North American business. Experian North America is among the largest employers in Orange County, with about 1,400 workers at its Costa Mesa headquarters.
Data-related risk is just as real for startups as it is for large companies.
“As a newer platform, I think the biggest risk is a reputational one,” said Lenny Moon, CFO of Payoff Inc., which aims to help people refinance and pay off credit card debt.
“We take data security very seriously,” he said. “It’s important for a company that’s growing and emerging. I’m looking at all this from the perspective of a startup CFO as opposed to an established larger company CFO. The reputational risk could take the focus away and [cause] people to not trust us. I think that would be the biggest effect on us.”
Payoff, which has its headquarters in Costa Mesa after a move in October from Long Beach, typically asks customers to fill out personal information as they register to use the company’s services, including “financial accounts and information … [and] your specific demographic information,” says its website.
Moon compared a small firm’s data management risk to that of larger companies, pointing to Target Corp., which in late 2013 said that data from about 40 million customer credit and debit cards were stolen.
“Companies that are larger, it’s a big liability issue because there’s going to be a lawsuit,” Moon said. “But they’re already so large that it’s hard to say you’re never going to go to Target again. It’s different if you’re still building your brand. Trust for us as a brand is one of the more important things that we want in terms of building a foundation with our customers.”
Payoff was founded in 2009 by Scott Saunders, a serial entrepreneur in the finance and technology sectors. It’s backed by institutional and individual investors, including New York-based Great Oaks Venture Capital and Jarl Mohn, chief executive of Washington, D.C.-based NPR.
Mohamed El-Erian—former chief executive of Newport Beach-based Pacific Investment Management Co. who worked alongside the firm’s cofounder and former Chief Investment Officer Bill Gross—also is a backer and director on Payoff’s board.
El-Erian left Pimco last year and remains an adviser with the firm’s parent, Allianz.
Payoff’s financial details weren’t available, but Moon said the company is posting fast revenue growth and has increased headcount from 10 employees to about 80 over the past couple of years.
Moon works closely with Chris Hilliard, vice president and head of compliance, who said the firm is “holding ourselves and vendors to a higher standard,” referring to a series of accounting standards known as Service Organization Controls 2 Type II.
“There are numerous compliance standards that organizations may adhere to, such as the Payment Card Industry Data Security Standard,” Hilliard said. “While each standard is unique and many are seen as mostly comparative to the other, achieving the SOC 2 Type II standard at a company our size and at our stage in growth is rare. Many companies do not even look to adhering to an auditing standard until they must.”
“I think it just gets back to the idea that CFO positions are operational and administrative in nature,” Moon said. “It does have ‘financial’ in the title, but the CFO position tends to have the breadth of touching a lot of parts of the organization in order to understand the finances, the assets, the cash-flow-generating assets of the business. You need to touch upon a lot of different things. It’s to ensure that the right steps are being taken from a liability standpoint.”
