One mini global survey may have caught some CFOs out: throwing money at improving cybersecurity without removing silos could be counter-productive

In a recent survey of 180 senior finance executives (including CFOs and CEOs) across North America, Europe, the Middle East and Africa, and the Asia Pacific region (APAC), respondents were deemed to be woefully uninformed about their company’s cybersecurity risks despite being confident in their company’s ability to respond to a cyber incident.

In APAC, 84% of respondents indicated that they had had more than three security incidents in the last 18 months, compared to 61% globally. Also, 8% of APAC respondents were briefed monthly by the information security team compared to 24% globally. Yet, 68% of these respondents were extremely confident in their organizations’ ability to respond to a cyber incident within the next 12 months, compared to 53% of global respondents.

Overall, three key sentiments were noted among the respondents

    • Overconfidence without involvement: 87% of CFOs in the survey indicated they were either very or extremely confident in their organization’s cyberattack response, despite four out of 10 indicating they had regular briefings with their cyber teams.
    • Good awareness of the cyber damage: 71% of the respondents’ organizations had racked up more than US$5m in financial losses stemming from cyber incidents in the previous 18 months; 61% had suffered at least three significant cyber incidents in that time. Also, 82% of respondents indicated their organizations had suffered a loss of 5% or more in their valuations following their largest cybersecurity incident in the previous 18 months.
    • Ready to increasing cyber investments: 45% of respondents had plans to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

According to James McLeary, Managing Director of Cyber Risk, Kroll, which commissioned the mini survey: “It’s intriguing to see that despite the number of attacks happening, CFOs in APAC rarely get briefed by the information security team, perhaps indicating different organizational setups in APAC where cybersecurity and finance are much more siloed.”

McLeary suggested that CFOs and their peers be more involved in cybersecurity planning at multiple layers in the company. Ultimately, this will enable them to understand the overall investment strategy around cyber and evaluate financial risk and possible expenditures.