CFOs in Asia Pacific are rarely informed by information security teams about cyber security risks despite being confident in their company’s ability to respond to an incident, said Kroll recently.
According to Kroll’s 2022 Cyber Risk and CFOs report titled “Over-Confidence is Costly”, 84% of CFOs in Asia Pacific responded that they had more than three security incidents in the last 18 months, compared to 61% globally.
However, only 8% of CFOs in Asia Pacific are briefed monthly by the information security team compared to 24% globally, Kroll noted.
The report was commissioned by Kroll and conducted by StudioID of Industry Dive, having collected responses from 180 senior finance executives surveyed worldwide, Kroll said.
The report also indicates that 68% of CFOs in Asia Pacific were extremely confident in their company’s ability to respond to a cyber incident within the next 12 months, compared to 53% who said the same globally.
- 87% of CFOs are either very or extremely confident in their organisation’s cyberattack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.
- Nearly three-quarters (71%) of the represented organisations suffered more than US$5 million in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time.
- 82% of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.
- 45% of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.
Advice: CFOs to participate in cyber security planning
In order for the CFOs to understand the cyber risk and its consequences, regular briefings and a closer alignment of the finance and security teams would raise the visibility and knowledge of cyber risk, said James McLeary, managing director in the cyber risk practice at Kroll.
“CFOs can participate in cyber security planning at multiple layers in the company,” he advised. “They should be fully involved in crisis and incident response planning for cyberattacks.”
Through tabletop exercises, CFOs may take part in a simulated cyber security crisis to map out how they would respond to a real attack, McLeary noted.
Ultimately, this will enable CFOs to understand the overall investment strategy around cyber and evaluate financial risk and possible expenditures, he added