Lack of CFO's involvement in cyber security proves costly for firms

The costs of cyberattacks is turning out to be massive for organisations, both in terms of financial damages and in their impact on company valuations. 

A new study shows that nearly three-quarters (71%) of the organisations polled suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. 

The study done by independent provider of global risk and financial advisory solutions, Kroll found that one of the key reasons that has triggered these attacks and subsequent losses is that chief financial officers (CFOs) are woefully in the dark regarding cyber security - despite exuberating confidence - and there is little involvement on security strategies and even in their coordination with the company’s IT or security teams.

“We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident,” said Greg Michaels, global head of cyber governance and risk in the cyber risk practice at Kroll. 

For organisations that had a security incident resulting in a compromise of data or financial impact in the past 18 months, nearly 9 out of 10 of them experienced a financial impact of more than $1 million. Also, more than 7 out of 10 of the executives say their companies suffered a loss of valuation of 5% or more following their largest cyber security incident in the last 18 months, the study shows. 

The survey identified the top financial impact coming from cyber and privacy counsel, followed by vendor costs related to forensic investigations. Next on the list were crisis communications, customer notification and credit monitoring costs, followed by increase of insurance premium, borrowing costs, regulatory penalties, loss of revenue and ransom payment and negotiation costs as the fifth-most-cited impact. Intangible costs cited by respondents were impairment of brand, intellectual property or goodwill; loss of customers; and reputational damage. 

Currently, 75% of respondents outsource between 10% and 50% of their information security budget, as for many companies, the pandemic hit cyber security budgets hard, and security became too difficult and costly to handle in-house, said the study. 

However, CFOs need to keep in mind that outsourcing does not absolve them of responsibility for cyber security. A recent survey by analyst firm Gartner in fact found that extreme “dissatisfaction with the operational inefficiencies and the lack of integration of a heterogeneous security stack” has prompted 75% of organizations to pursue security vendor consolidation in 2022, up from 29% in 2020. 

Gartner said that 57% of organisations are working with fewer than 10 vendors for their security needs, as they are looking to optimise to fewer vendors, especially in specialised areas like secure access service edge (SASE) and extended detection and response (XDR). Echoing similar view, John Watts, vice president, analyst at Gartner said, “Organisations that look to optimize costs must reduce products, licences and features, or ultimately security renegotiate contracts."

That said, Kroll's Michaels believes, it is imperative that CFOs and their finance teams step up their involvement in cyber investment, from planning to prevention and response strategies, and a key part of this is to work in tandem with the IT and security teams, as cybersecurity is not just the responsibility of the IT department. “Failing to do this leaves CFOs out of the loop on cyber issues and threatens the business with significant—and, critically, unexpected—financial consequences,” he said.