Given the major financial implications associated with cybersecurity breaches, it would be reasonable to assume that CFOs play a major role in preparing for and responding to cyberattacks. However, a survey released in May suggests that is not the case.
The survey, released by UK-based cybersecurity firm Deep Instinct, reveals that only 12% of CFOs are actively involved in cybersecurity planning, and only 14% of these CFOs believe their businesses are well-prepared when it comes to ‘cyber-resiliency.’ The study, based on a survey of 200 CEOs, senior financial, and IT security decision-makers at medium and large enterprises in the UK, reveals a major disconnect on CFO perspectives when contrasted to the 63% of CEO respondents who indicated their businesses were well-prepared.
The Deep Instinct survey also reveals a disconnect in understanding related to the actual financial implications of cyberattacks. Most notably, attacks are frequently more expensive than senior-level decision makers expect them to be. On average, survey respondents indicated they would be willing to pay up to £760,000 in the wake of a security beach; however, in reality, those respondents that did pay ransoms paid an average of more than £3 million, four times higher than expectations.
Decisions to be made on cybersecurity
From a decision-making perspective, CFOs appear surprisingly to take a back seat in determining whether, and how much, ransom to pay, taking responsibility for that decision in only 14% of attack situations. And even when companies were hit with ransomware attacks, only 32% were able to recover data even after paying malicious actors.
The answer, according to Deep Instinct: ‘studious financial planning’ to better understand how vulnerable a company is in the evet of a cyberattack. This is confirmed by survey results indicating that only 38% of respondents are confident in placing a monetary value on the data within their organization – and nearly half gave answers that showed a lack of understanding of true vulnerabilities, or had conducted no assessments at all to determine how financially vulnerable they might be.