Chief financial officers are woefully uninformed about their company’s cybersecurity risks, despite being confident in their company’s ability to respond to an incident, according to a new report from Kroll.
Kroll has released its 2022 Cyber Risk and CFO Report titled Overconfidence is Costly.
The report, commissioned by Kroll and conducted by StudioID of Industry Dive, revealed three key themes among 180 senior financial executives surveyed worldwide:
Ignorance is bliss. 87% of CFOs are either very or extremely confident in their organization’s response to a cyber attack. This contrasts with the level of visibility CFOs have on cyber risk issues, with only four in 10 respondents holding regular briefings with their cyber teams. Wide range of damage. Nearly three-quarters (71%) of the organizations represented suffered more than $5 million in financial losses resulting from cyber incidents in the previous 18 months, and 61% suffered at least three significant cyber incidents during that time. 82% of executives in the survey said their companies suffered a loss of 5% or more in their valuations after the largest cyber security incident in the previous 18 months. Increasing investment in cyber security. 45% of respondents plan to increase the percentage of their total IT budget dedicated to information security by at least 10%.
In APAC, 84% of respondents said they had more than three security incidents in the past 18 months, compared to 61% globally. However, only 8% of APAC respondents are informed monthly by their IT security team compared to 24% globally, and 68% of APAC respondents were extremely confident in their company’s ability to respond to a cyber incident in the next 12 months, compared to 53% who said the same globally.
“Cyber security incidents seemed to be more common in APAC,” says James McLeary, managing director in Kroll’s cyber risk practice.
“This may have had an impact on the CFO’s confidence in their company’s ability to respond to an attack. It is intriguing to see that despite the number of attacks occurring, CFOs in APAC rarely receive guidance from the IT security team, perhaps indicating different organizational sets- rise in APAC where cyber security and finance are much more insular,” he says.
“Cyber incidents have the potential to cause property damage and harm a company’s assets, including intellectual property, customer relationships and brand. To ensure that CFOs understand cyber risk and its consequences, regular briefings and closer alignment of finance and security teams would increase visibility and knowledge about cyber risk,” says McLeary.
“Therefore, it is recommended that CFOs participate in cyber security planning at multiple levels within the company. They should be fully involved in crisis and incident response planning for cyber attacks.
“Through tabletop exercises, CFOs can participate in a simulated cyber security crisis to determine how to respond to a real attack. Ultimately, this will allow them to understand the overall cyber investment strategy and assess financial risk and possible expenses.”
Comments are closed.