The cognitive dissonance of the CFO: "Confident” on cyber resilience but under-briefed

EMEA CFOs are briefed more regularly by their CISOs...

The cognitive dissonance of the CFO: "Confident” on cyber resilience but under-briefed

The vast majority of Chief Financial Officers (CFOs) are highly confident in their organisation’s ability to respond to a cyberattack – even though just four out of 10 globally have regular briefings with their security teams.

That’s according to a new survey from Kroll, which found a healthier dose of engagement amongst EMEA respondents. Some 40% of EMEA CFOs were briefed by CISOs monthly (versus 24% of CFOs globally).

The report, published today, emphasised anew just how rife damaging attacks on IT systems are: 71% of the represented organisations had suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months; 61% had suffered at least three significant cyber incidents in that time.

(Quite why CFOs were reported to be so confident on cyber resilience despite these losses was not answered by the survey; one possible option is the increased investment made in security post-incident.)

The Kroll report also highlights the importance of the CFO taking more of an interest in cybersecurity. Not least because attacks can rapidly involve their team, as the chart breaking out incident costs below shows.

CFO cybersecurity report
How the costs of an attack stack up, credit: Kroll.

Greg Michaels, Global Head of Cyber Governance and Risk in the Cyber Risk practice at Kroll, said: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery—including permitting access to emergency funds and procuring third-party suppliers—but also in the strategy and investment around cyber both pre- and post-incident. Ultimately, cyberattacks represent a financial risk to the business, and incidents can have a significant impact on value.  It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

The top cause of significant cyber incidents according to the 180 CFOs and CEOs surveyed was business email compromise or “BEC”, experienced by 65% of those surveyed. BEC attacks are a form of phishing that often exploits domain spoofing or compromised accounts to target executives. As The Stack reported this week, such attacks on new employees are particularly rife, powered by the low cost of mining LinkedIn posts for new job announcements then pulling contact data from brokers and easily accessible third-party sites.)

The survey also offers some insights into what CFOs plan to spend on IT security in the coming fiscal year: 45% said that they will increase their IT budget for information security by more than 10% this year. For outsourced cybersecurity services, nearly half of the respondents will increase their spending by more than 10%. Currently, 75% of respondents outsource between 10% and 50% of their information security budget.

Do you feel the CFO at your organisation is briefed enough and understands cybersecurity?

We'd welcome your views, on or off-the-record; get in touch here.

Join the conversation, follow The Stack on LinkedIn