News & Analysis

Are CFOs Taking Cyber Risks Lightly? 

A recent study by Kroll suggests that this could be so, and on most occasions it was ignorance that led to this approach

An independent global risk and financial advisory solutions company today called out CFOs for being woefully ignorant about cybersecurity and said that most of them were confident about their business data due to lack of adequate information. The survey was completed across 180 senior finance executives across several countries. 

The independent survey by Kroll is titled Cyber Risk and CFOs and calls out this overconfidence and the resultant casual approach to their company’s ability to respond to any such incident. Our CFO cybersecurity survey has shown that Chief Financial Officers are highly confident in their companies’ abilities to ward off cyber security incidents, despite being somewhat unaware of the cyber vulnerabilities their business faces, it said. 

Almost 87% of the surveyed executives expressed this confidence, yet 61% of them had suffered at least three significant cyber incidents in the previous 18 months. Moreover, they admitted to being out of the loop: 6 out of 10 were not regularly briefed by the cyber team, and nearly 4 out of 10 had never received such an update, according to the survey conducted by Kroll and studioID of Industry Dive, the report said (download it here)

The report, commissioned by Kroll and conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

  • Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organization’s cyberattack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.
  • Wide-ranging damages. Nearly three-quarters (71%) of the represented organizations suffered more than $5 million (mn) in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.
  • Increasing investment in cyber security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.


Ignorance is bliss seems to be the motto

Greg Michaels, Global Head of Cyber Governance and Risk in the Cyber Risk practice at Kroll, said: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. 

At that point, it’s clear that they need to be involved not only in the recovery—including permitting access to emergency funds and procuring third-party suppliers—but also in the strategy and investment around cyber both pre- and post-incident. 

Ultimately, cyberattacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

David Ball, Managing Director in the Valuation Advisory Services practice at Kroll, said: “Cyber incidents have the potential to cause material damage or impairment to the assets of a company, particularly intangible assets, including intellectual property, customer relationships and brand. It is important for CFOs to understand the impact of cyber incidents on these assets and be in a position to assess and quantify the financial impact and potential risks to the company.”


Leave a Response