CFOs and Cybersecurity: Top Threats and How to Prevent Them

16 Jan 2025 Because cyber attacks represent a significant financial risk to most organizations, CFOs play a critical role in cybersecurity. They work closely with CIOs to prioritize potential threats based on their financial risk, maintain defenses accordingly, and ultimately help mitigate those risks.
Why should CFOs care about cybersecurity?
Cyberattacks can cost organizations in a number of ways. Overall, the average cost of a data breach to organizations worldwide was $4.45 million in 2023, according to a study by IBM and the Ponemon Institute. Nearly 95% of attacks are launched for financial gain, not political, social, or personal reasons, according to the Verizon Data Breach Investigations 2023 report.

Confidential data, such as customer credit card numbers and employee network passwords, is a favorite target. Good old-fashioned cash, accessed through fake vendor invoices, payroll fraud, and ransomware attacks, is also good. Nearly half of senior executives believe that attacks on accounting and financial management are getting worse, according to a 2023 Deloitte Center for Controllership study. There’s also the financial cost of reputational damage from a security breach.

New SEC regulations are getting attention from CFOs. The SEC has adopted rules requiring public companies to provide investors with “decision-useful” information about cybersecurity incidents, along with periodic updates on their cybersecurity programs. The rules also appear to require that companies notify the SEC within four days of a company determining that a cybersecurity incident is “significant,” meaning one that most investors would consider significant.

Another regulatory mandate is the Federal Information Security Management Act (FISMA), which requires federal agencies in the United States to develop, document, and implement agency-wide security measures. Compliance with the law is primarily the responsibility of the chief information security officer (CISO), but government CFOs should be mindful of its requirements.

Key points

As risk management experts, CFOs must work with CIOs to prioritize cyber threats and defense approaches based on the financial risks to the companies.
To assess cyber risks, CFOs must gain a strong knowledge of cyber attack techniques as well as the strategies and techniques used to combat them.
CFOs increasingly contribute to cybersecurity plans, review security budgets, and monitor the effectiveness of security implementations.
Cybersecurity and CFOs explained
CFOs are not cybersecurity experts, but they are risk management experts. This makes them natural allies for the CISO, who is responsible for protecting the organization’s systems and data. CFOs should be consulted on cybersecurity plans, ensuring that they reflect the company’s overall financial risk. Are the systems that process and store the organization’s most sensitive and valuable data adequately protected? Are they helping employees across the organization spot phishing emails, calls, and other scams? As the most important risk controller, the CFO must be confident that the organization’s level of cyber risk is acceptable.

CFOs also have regulatory reporting obligations that include cybersecurity. They are closely involved in compliance with rules set by the U.S. Securities and Exchange Commission, the European Union’s General Data Protection Regulation, and the California Consumer Privacy Act, among others. CFOs work with general counsel, internal auditors, chief information security officers, and others to ensure compliance. They face questions from the board about disclosing any cyber incidents, as well as annual disclosures on cyber risk management, strategy, and governance.

In the pursuit of compliance, CFOs must balance a number of key factors. For example, the SEC requires disclosure of any “material incidents,” which investors consider significant. CFOs, of course, use financial measures to determine what is material and what should be disclosed as a result, but they must also consider more qualitative factors such as the reputational impact of even a minor attack on customer information.

Top 5 Cybersecurity Risks for CFOs
In the Internet-first world of business, the “threat vector” available to cyberattackers is expanding as companies roll out applications faster and to more users than ever before. Companies are also increasingly integrating applications with systems from suppliers, partners, and other third parties.

No matter what environments they target, attackers are always testing new ways to evade cyber defenses. CFOs don’t need to understand every technical nuance, but they should understand the techniques that attackers are most effective at. Many attacks represent new developments around the following five main types.

1. Business Email Hacking
Business email compromise (BEC) is a cyberattack that uses email to manipulate people. For example, attackers attempt to trick recipients into sending money via a fraudulent money transfer request or a fake vendor invoice. These BECs typically target accounting, finance, purchasing, and payroll teams. BEC is a type of phishing attack. Other scams attempt to trick recipients into revealing passwords, providing credit card numbers, or clicking on malicious links.

Unnormal Security, an email security company, reported that in the first half of 2023, BEC attacks increased by 55% over the first half of 2022.

2. Supply chain attack
As the term suggests, supply chain attacks target something a company buys from vendors, typically software. By exploiting a vulnerability in a software, an attacker can gain backdoor access to multiple companies that use the software. The attacker gains access to private networks, including intellectual property, customer data, and other information assets.

3. Publicly exposed database
A publicly exposed database is a database that powers a public website or application and is not protected by security measures such as requiring user credentials, secure configuration, proper security settings, or supervision of database deployment—making it easily accessible. The rise of remote work during the COVID-19 pandemic has contributed to an increase in unsecured data and resulting attacks. In 2023, Singapore-based security firm Group IB exposed nearly 400,000 such databases to the open web. Once the issue became known, it took database owners an average of 170 days to fix it, risking data breaches and follow-on attacks on employees or customers. In a 2022 study by Kroll, 53% of organizations said attacks on exposed databases led to a network breach.

4. Internal threats
An insider is an employee, former employee, contractor, vendor, or other party whose private access to a company’s systems and networks could pose a security threat. Insiders fall into two categories: those who intentionally act to bring down a company’s systems and steal data, and those who unintentionally create a security gap because they lack security training or simply fail to follow procedures. The average total cost to an organization of an insider threat incident rose from $15.4 million in 2022 to $16.2 million last year, according to research by IT vendor DTEX Systems and the Ponemon Institute, based on a sample of organizations across industries and sizes.

5. Ransomware
Ransomware is a type of malware that attackers use to encrypt a company’s data, often delivered via compromised software or spoofed emails, and then demand a ransom to remove the encryption. When ransomware is activated, employees cannot access key systems and data, cannot work, and operations are halted until the organization pays the ransom and access is restored. Some companies decide that paying the ransom is less costly than operational downtime, especially if cyber insurance covers some of the losses. However, there’s no guarantee that once paid, the attackers will provide a decryption key to unlock the data. The average ransom payment in 2023 was $1.54 million, according to security provider Sophos. In October, the Anti-Ransomware Initiative, a U.S.-led group of government agencies in 50 countries, pledged not to pay ransoms to cybercriminals