PodChats for FutureCFO: How CFOs can finance cyber resilience for data-driven growth

In 2026, APAC CFOs face a stark reality: AI and cloud expansions are fuelling explosive data-driven growth, yet 76% of regional organisations suffered material cyberattacks in the past year. According to a Cohesity report, these incidents trigger 90% revenue hits, 89% ransom payments (40% exceeding US$1M), 73% earnings guidance adjustments for public firms, and 74% of private firms diverting growth budgets to recovery. Slow restores (97% >24 hours) and “data icebergs” expose hidden vulnerabilities.

Cyber resilience is now a core financial imperative. By reallocating budgets toward AI-powered detection, validated recovery, and response capabilities—at least one-third of cyber spend per Cohesity predictions—CFOs protect revenue streams, ensure PDPA compliance, safeguard market confidence, and unlock safe innovation. Financing resilience isn’t a cost; it’s the enabler of sustainable 2026 ambitions.

The data iceberg: What lies beneath your balance sheet

“Most organisations don’t have a fully indexed and understood scanned understanding of their total corpus of data,” observes Eric Brown, CFO and COO at Cohesity. “Hidden in that iceberg of data, you’re going to have a combination of liabilities and assets.”

This metaphor carries profound financial implications. Below the waterline, CFOs may find unsecured PII, sensitive customer records, or intellectual property—each of which represents potential regulatory exposure under frameworks like Singapore’s Personal Data Protection Act (PDPA), which mandates stringent controls on data collection, use, and disclosure.

Conversely, properly catalogued data can be dual-purposed for AI analytics, transforming a liability into a revenue-generating asset.

The World Economic Forum’s Global Cybersecurity Outlook 2026 reinforces this urgency, noting that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk. For Asia’s finance leaders, the imperative is clear: you cannot protect what you cannot see.

Modelling the true cost of a cyber outage

When Cohesity’s Asia research revealed that 90% of attacked organisations reported revenue impact, Brown urged CFOs to shift their modelling approach: “Assume that you will eventually have a cyber outage… Then ask yourself, what is the value of an investment that allows you to return to operations very, very quickly?”

Rather than debating probability matrices in traditional ERM frameworks, Brown advocates a time-based ROI calculation: if your current recovery time objective (RTO) is 14 days and a resilience investment reduces it to 48 hours, the financial benefit equals 12 days of preserved revenue, profit, or EBITDA.

“Time to return to operation and have an SLA there—I think that’s where you should start your ROI analysis.” Eric Brown

This pragmatic lens aligns with PwC’s 2026 Global Digital Trust Insights, which surveyed 3,887 executives across 72 countries and found that advanced organisations integrate cybersecurity directly into business strategy—not as an IT line item, but as a balance-sheet priority.

From audit committee oversight to board-level strategy

Cybersecurity oversight is often within the audit committee’s remit, placing the CFO at the centre of governance discussions.

“If cybersecurity is part of the remit, along with internal accounting controls and the usual things you would expect, then you’re going to need to be extremely engaged with your CIO and CISO,” Brown notes.

His recommendation: establish a multi-functional risk council—including the Chief Legal Officer, infrastructure leads, and engineering heads—to co-own an enterprise risk management framework that maps directly to public disclosures. “If you think internally that a cyber risk has a high likelihood and high economic impact… that should be part of your disclosures,” suggests Brown.

This integrated approach is increasingly critical in APAC, where cybersecurity spending is projected to reach US$90 billion by 2026, growing at approximately 12% annually. Yet budget growth alone is insufficient without strategic prioritisation.

The recovery-first investment framework

With 78% of global organisations planning cyber budget increases in 2026—and Cohesity predicting at least one-third reallocated to response and recovery—Brown advises Asia’s CFOs to prioritise investments that demonstrably accelerate restoration:

1. Inventory and classify data assets: Identify the top 20% of data sources containing highly confidential information.
2. Validate backup integrity: Require proof that incremental backups run successfully across all critical systems every 24 hours.
3. Conduct live restore exercises: Move beyond tabletop scenarios to end-to-end recovery drills that test communication, legal review, and executive notification protocols.
4. Deploy air-gapped cyber vaults: Maintain a third, network-disconnected copy of critical data with multi-person quorum release mechanisms—what Brown calls “your absolute bulletproof insurance policy.”
5. Engage red-team validation: After internal testing, commission external forensics firms to stress-test defences from an adversary’s perspective.

This maturity model echoes Cohesity’s five-step cyber resilience framework, which emphasises measurable recovery capability over theoretical prevention.

Turning data liability into competitive advantage

“It’s hard to make [cyber resilience] a competitive advantage because… the data that you have at rest is a liability,” Brown concedes. Yet he identifies a pathway to offensive value:

“If you can take your curated protected data and make it available for AI analytics to optimise your business, then what you’ve done is you’ve dual-purposed your data, and you flipped it from a liability to an asset class.” Eric Brown

For software vendors and digital-native enterprises, robust cyber resilience can also serve as a differentiator in RFP processes. He opines that: “If you can emerge as being much more cyber secure and cyber ready as a partner, that could be a deciding factor in winning a new deal.”

This strategic reframing aligns with broader regional trends. As sovereign cloud adoption accelerates across APAC to balance innovation with data control, CFOs who embed resilience into architecture decisions position their organisations to harness AI safely—and profitably.

The CFO’s Q1 2026 cyber resilience checklist

Brown’s actionable guidance for Asia-based finance leaders:

• Demand a complete data inventory from your CIO, CISO, and infrastructure lead—with clear tagging of high-value, high-risk datasets.
• Verify backup SLAs with dashboard evidence that critical systems are protected incrementally and tested regularly.
• Run a live recovery drill on your top two data stores; measure time-to-restore and document process gaps.
• Stress-test governance: Ensure your ERM framework links cyber risk ratings to public disclosures and audit committee reporting.
• Grade yourself harshly: “As a CFO, you have to be one of the toughest graders in the company… See where you are, and then find the most obvious gaps, and backfill the gaps in order of priority.”

Click on the PodChats player to get the details into the FutureCFO discourse with Cohesity’s Brown.

1. With APAC enterprises accelerating AI and cloud investments for 2026 growth, what emerging data vulnerabilities are CFOs most underestimating, and how are these “data icebergs” creating hidden financial risks?
2. Cohesity’s recent APAC research shows 76% of organisations faced material cyberattacks, with 90% reporting revenue impact—what specific financial consequences (downtime, ransom, churn, regulatory fines) are CFOs now modelling in their 2026 forecasts?
3. What shifting Board expectations are forcing CFOs to treat cyber resilience as a balance-sheet issue rather than an IT line item? Any recommendations for responding to this?
4. Based on your observations, how are finance leaders beginning to co-own cyber strategies with CISOs, and which governance frameworks are proving most effective? Is this repeatable in APAC?
5. With 78% of global organisations (per PwC) planning cyber budget increases in 2026 and Cohesity predicting at least one-third reallocation to response/recovery, how should APAC CFOs prioritise and phase these investments without derailing growth initiatives?
6. What practical checklist can APAC CFOs use in Q1 2026 to audit data risks across hybrid/cloud environments, including ransomware readiness and PDPA compliance?
7. How can CFOs quantify and measure the ROI of cyber resilience investments—particularly AI-driven backups and immutable recovery—so they can justify them to boards amid tight capital allocation?
8. Given APAC’s position as the region with the highest volume of cyberattacks globally, what unique regional factors (data sovereignty, sovereign cloud trends, regulatory fragmentation) should Singapore-based CFOs factor into their 2026 resilience strategies?
9. Looking at organisations that recovered fastest post-attack, what common decision-making traits distinguish “risk-ready” finance leaders from those still exposed?
10. For APAC CFOs balancing aggressive 2026 revenue growth targets with escalating cyber threats, any advice on making cyber resilience a competitive advantage rather than a drag on innovation?