New CFO Study Highlights a Dangerous Disconnect Within UK Businesses in Planning for Cyber-Attacks

May 26, 2022

  • 57% of CFOs report their organisation has been hit by a ransomware attack, but only 12% are actively involved in determining the risk and protecting their organisation from cyber threats.
  • An average of £3 million was paid per attack to ransomware groups, four times the sum expected by those who have not been hit.
  • 56% of CFOs say their organisation paid a ransom for the return of data. One-third admit that the business didn’t receive their data in return.
  • 69% of CFOs think that the board doesn’t take cyber and associated risks seriously enough.

LONDON, UK – May 26, 2022 Deep Instinct, the first company to apply end-to-end deep learning to cybersecurity, today revealed new research highlighting the role executive leadership teams play in their organisations’ cyber defenses. The independent survey was conducted by Sapio Research and engaged over 200 CEOs, senior financial, and IT security decision-makers working at mid to large enterprises in the UK. The findings laid bare the disconnect in how senior management teams collaborate and determine the risks and impact on their operations when hit by a cyber-attack.

CFOs are struggling to play their part in the risk assessment of cyber-attacks on the financial health of their organisations with only 12% of CFOs actively involved in the process. This exclusion has caused confidence to plummet amongst financial leaders, with only 14% of CFOs stating that their business is well-prepared and could withstand a cyber-attack. This implies a significant perception disconnect compared with the 63% of CEOs who feel they are well-prepared.

Additionally, there is a large gap between CFO’s estimates of ransomware demands and the reality of ransomware payments. Despite respondents saying they would only pay, on average, a ransom of around £760,000, the reality is that those survey respondents that did pay ransoms paid more than £3 million, four times higher than predicted. Moreover, for those that paid ransom demands, only 32% were able to recover their data – showing that positive outcomes are far from certain even when cooperating with bad actors.

The research also revealed that studious financial planning is essential to gain a clear picture of the monetary risks that come from cyber-attacks. Only 38% of respondents cited that they are confident in placing a monetary value on the data within their organisation, as well as calculating the potential impact of its loss. Worse, 48% gave answers that reveal a lack of accurate assessments, or no assessments at all.

According to Heather Bellini, Chief Financial Officer at Deep Instinct, “Cyber criminals and organisations usually have a common goal – financial reward – and each day a new ransomware attack hits the headlines one of the first questions amongst executives is, ‘how much is it going to cost to get back the data?’ It is vital for organisations to take the task of quantifying the financial risk of cyber-attacks seriously and ensure it is accurate, otherwise they can fall into the trap of having a false sense of security and being blasé when it comes to the true cost.”

She continues, “This is why it is so important that all senior and strategic roles within the business have an active and equal responsibility in ensuring their business is resilient and well prepared. We talk in the industry about breaking down siloes and cybersecurity no longer being the sole remit of the IT team, but this isn’t translating into meaningful action. Until this changes, organisations will continue to be counting the costs of breaches and lining the pockets of cyber criminals.”

It should come as no surprise that ransomware attacks have a significant impact on business continuity. Nearly two-thirds (61%) of all respondents admitted their business has been hit by a ransomware attack, with 56% paying the ransom. In 29% of the cases where a ransom was paid, the CEO made the decision while the CFO made the decision in just 14% of situations.

Says Guy Caspi, CEO of Deep Instinct, “While it may be shocking to see how prevalent and successful ransomware attacks are, I believe we are only seeing the tip of the iceberg. With nearly two-thirds of organisations admitting to being hit by ransomware, you can’t help but wonder how many have stayed under the radar, especially when it continues to be so profitable for attackers.”

“From a corporate governance perspective, much more needs to be done to ensure that all stakeholders are truly cognizant of not only the risks to their business, but also in the full potential of financial and other business impacts that come from being successfully attacked. It is not enough to assume that your stack of security solutions checks a box and your responsibility is done. Having confidence in your organisations’ ability to block attacks should come from knowing that malicious malware is stopped before it can encrypt, protecting your environment, your customers, your brand, and your bottom line.”

To get your copy of Dangerous Disconnects: The Pitfalls of CFO and CISO Cyber Risk Misalignment, please click here.

Research Methodology

The quantitative survey was conducted among 201 senior financial and senior IT security decision makers in companies with more than 250 employees in the UK. Results are accurate to ± 6.9% at 95% confidence limits assuming a result of 50%. The interviews were conducted online by Sapio Research in April and May, 2022 using an email invitation and an online survey.

The qualitative research was conducted through eight in-depth interviews (IDIs) with CFOs, CROs, and senior risk and financial roles. The interviews lasted up to 45 minutes.

About Deep Instinct

Deep Instinct takes a prevention-first approach to stopping ransomware and other malware using the world’s first and only purpose-built, deep learning cybersecurity framework. We predict and prevent known, unknown, and zero-day threats in <20 milliseconds, 750X faster than the fastest ransomware can encrypt. Deep Instinct has >99% zero-day accuracy and promises a <0.1% false positive rate. The Deep Instinct Prevention Platform is an essential addition to every security stack—providing complete, multi-layered protection against threats across hybrid environments. For more, visit www.deepinstinct.com.

Media Contacts:

Kim Smith / Ellie Turnell
Code Red Communications UK for Deep Instinct
+44 (0) 1276 486000
DeepInstinct@coderedsecuritypr.co.uk

Suzanne van de Raadt
Director, Public Relations, and Executive Communications
1.646.404.4027
suzannev@deepinstinct.com