The report found chief financial officers (CFOs) woefully uninformed about their company’s cyber security risks, despite being confident in their company’s ability to respond to an incident.
The report, commissioned by Kroll and conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:
- Ignorance is bliss. 87% of CFOs are either very or extremely confident in their organization’s cyberattack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.
- Wide-ranging damages. Nearly three-quarters (71%) of the represented organizations suffered more than $5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. 82% of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.
- Increasing investment in cyber security. 45% of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.
In APAC, 84% of respondents responded that they had more than three security incidents in the last 18 months, compared to 61% globally. However, only 8% of respondents in APAC are briefed monthly by the information security team compared to 24% globally, and 68% of APAC respondents were extremely confident in their company’s ability to respond to a cyber incident within the next 12 months, compared to 53% who said the same globally.
James McLeary, managing director in the cyber risk practice at Kroll, said: “Cyber security incidents appeared to be more common in APAC. This may have had an impact on CFO confidence in their company’s ability to respond to an attack.
“It’s intriguing to see that despite the number of attacks happening, CFOs in APAC rarely get briefed by the information security team, perhaps indicating different organizational sets-ups in APAC where cyber security and finance are much more siloed.”
Cyber incidents have the potential to cause material damage and impair the company’s assets, including intellectual property, customer relationship and brand. In order for the CFOs to understand the cyber risk and its consequences, regular briefings and a closer alignment of the finance and security teams would raise the visibility and knowledge of cyber risk.
“Hence, it is recommended for CFOs to participate cyber security planning at multiple layers in the company. They should be fully involved in crisis and incident response planning for cyberattacks,” continued James McLeary.
Through tabletop exercises, CFOs may take part in a simulated cyber security crisis to map out how they would respond to a real attack. Ultimately, this will enable them to understand the overall investment strategy around cyber and evaluate financial risk and possible expenditures,” suggested James McLeary.