CFOs out of cyber security loop

Chief financial officers (CFOs) are woefully uninformed about their company’s cyber security risks, despite being confident in their company’s ability to respond to an incident, according to Kroll.

The global risk and financial advisory solutions provider commissioned StudioID of Industry Dive for the 2022 Cyber Risk and CFOs report, which showed three key themes among the 180 senior finance executives surveyed worldwide.

First, 87% of CFOs are either very or extremely confident in their organisation’s cyberattack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.

Second, 71% of the represented organisations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. 

Also, 82% of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.

And third, 45% of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

In the Asia-Pacific region, 84% of respondents responded that they had more than three security incidents in the last 18 months, compared to 61% globally. 

However, only 8% of respondents in APAC are briefed monthly by the information security team compared to 24% globally. More than two-thirds (68%) of APAC respondents were extremely confident in their company’s ability to respond to a cyber incident within the next 12 months, compared to 53% who said the same globally.

James McLeary, managing director in the cyber risk practice at Kroll, said cyber security incidents appeared to be more common in APAC and this may have had an impact on CFO confidence in their company’s ability to respond to an attack. 

“It’s intriguing to see that despite the number of attacks happening, CFOs in APAC rarely get briefed by the information security team, perhaps indicating different organisational sets-ups in APAC where cyber security and finance are much more siloed,” said McLeary.

Cyber incidents have the potential to cause material damage and impair the company’s assets, including intellectual property, customer relationship and brand. 

In order for the CFOs to understand the cyber risk and its consequences, regular briefings and a closer alignment of the finance and security teams would raise the visibility and knowledge of cyber risk. 

“It is recommended for CFOs to participate cyber security planning at multiple layers in the company,” said McLeary. “They should be fully involved in crisis and incident response planning for cyberattacks. 

This will enable CFOsx to understand the overall investment strategy around cyber and evaluate financial risk and possible expenditures.