Failing to Include Finance in Cyber Risk Planning Could be Costly

May 26, 2022 | Heather Bellini

After years of being seen as a niche IT issue, cybersecurity is now a big talking point in boardrooms around the world. But that doesn’t mean that everyone has a seat at the table when it comes to cyber risk planning. CFOs like myself are often not given a voice when it comes to important security decisions despite the massive financial impact an attack may have on the organisation.

To get a more quantified look at the problem, we commissioned Sapio Research to survey how UK-based business leaders and decision-makers view cyber risk, and their role in key issues like ransomware payments.

The results highlighted some extremely dangerous disconnects in how senior management teams view and communicate about risk.

Are CFOs getting the cold shoulder in critical security decisions?

One of the strongest trends our research uncovered is that CFOs are rarely involved in key strategic decisions about cyber risk, often being relegated to the role of rubberstamping security budgets and little else. Just 12 percent of CFOs said they were actively involved in determining cyber risk and helping with plans to protect the organisation from threats.

CFOs non-presence at the table was particularly evident – and relevant – when it comes to ransomware. The decision on whether or not to pay a ransom is one of the toughest security judgements a business can make, with big implications for the company’s moral character and an even bigger impact on their bank balance. Yet despite the financial consequences, just 14 percent of CFOs were involved in the final decision on whether to pay.

This exclusion has a knock-on effect on calculating the financial risks of cyber threats. Just over one-third (38 percent) of all respondents across different roles were confident they could place a monetary value on their digital assets and the resulting financial impact of a breach. But nearly half (48 percent) were not confident, either because they were unsure of how accurate their assessments were or because they did not have an accurate assessment of the risk.

Our research also found a huge disconnect in the way the company’s risk preparedness is seen. Just 14 percent of CFOs said they were confident their business was well-prepared to withstand a cyber-attack. In stark contrast, 63 percent of CEOs and business owners were confident in their security capabilities.

This perspective from Glenn Murray, CEO at Sapien Cyber, in Security Magazine highlights the dangers of this trending disconnect:

“It is not uncommon for security teams or their executives to be rewarded based on reduction in expenditure vs budget, breeding an alarming culture of penny pinching each year. This short-term thinking is putting organizations in jeopardy, and at risk of everything from data breaches to system hacks. A boardroom, including the CFO, that recognizes the devastating effect a cyberattack can have, both financially and reputationally, will be better placed to protect their ‘crown jewels’ from this new age of cybercriminals.”

Most businesses are not prepared for ransom costs

Ransomware was one of the most prominent examples of this mismatch in risk awareness and confidence. Sixty-one percent of respondents admit that their business has been hit by a ransomware attack, with 56 percent paying the ransom demand.

Those that did pay up were often unpleasantly surprised. On average, respondents said they would be willing to pay around £760,000 to restore their systems – but the actual average for those who did pay was just over £3m. Adding insult to injury, only a third (32 percent) of those who met the demand got all of their data back from the attackers.

More intriguing insights

Organisations and cyber criminals alike are fixated on the bottom line and their ability to make a profit. Getting hit by a serious cyberattack can have huge financial implications, with lost customers and operational time, regulatory fines and incident response costs quickly racking up huge costs – even before factoring in a potential six-figure ransom demand.

It’s not necessary for the CFO to be a cyber security expert, but they need to have a seat at the table if the organisation is to have a chance at gaining an accurate picture of their exposure to cyber threats, the financial impact of a potential breach, and the company’s level of risk exposure.

To find out more, view the full report's findings here.