Skip to content
Closeup of a thumb on a fingerprint scanner, symbolizing biometric identity and cybersecurity

Why cyber risk management matters for financial resilience

Authors

8 minute read 04 Apr 2025
Related topics
Assurance

The growing cost of cybersecurity programs requires chief financial officers to integrate cyber risk management and financial oversight.

In brief
  • Cybercrime can have serious financial consequences, and CFOs should take an active role in managing cyber risks in their organization.
  • Working with other leaders can help CFOs understand the organization’s potential exposure and make better financial decisions related to cybersecurity risk.
  • By including the finance function in cyber risk management, CFOs can help protect the company’s assets, comply with regulations and avoid financial losses.

Cybersecurity is not just an IT problem or a crisis scenario from a playbook, but a persistent and growing business concern with real financial implications, including the potential costs of incident response, legal liabilities, reputational damage, and loss of revenue from lack of consumer trust.

In 2023, the average cost of a data breach for businesses based in the United States exceeded $9 million per incident.¹ With schemes including extortion, social engineering and phishing attacks combined with vulnerabilities due to organizations’ increasing reliance on third parties, the likelihood of a damaging cyber incident continues to escalate. Cybercrime caused $12.5 billion in financial damage in the United States in 2023, a 22% increase year over year, according to FBI statistics.²

High price to pay
Estimated cost of cybercrime globally in 2024, according to the World Economic Forum

How EY can help

  • Audit services

    We merge traditional and innovative approaches, combined with a consistent methodology, to deliver quality audit services to you. Find out more.

    Read more

Mitigating cyber risks and incorporating them into the organization’s long-term financial strategy is a mission shared by many in the C-suite, such as the CFO, chief information security officer (CISO) and chief technology officer (CTO), as well as the board of directors.

 

In recent conversations with these leaders, they have stated that they are considering the trade-offs of cyber insurance; the responsibility to include cyber risks in financial reporting; and how to implement strong internal controls to protect their organization’s assets. At the board level, financial discussions include reconciling the value at risk against the board’s risk tolerance and evaluating the effectiveness of cyber insurance coverage.

 

Cyber risk management not only is necessary for maintaining investor confidence and meeting regulations, but for protecting assets, too. Here are four considerations that CFOs and financial leadership are weighing as they respond to the evolving threat landscape.

 

1. The increasing cost of cyber risk prevention and exposure

Although organizations spend nearly half of their IT budget on cybersecurity, only 11% of the cybersecurity leaders surveyed by the global EY organization “strongly agree” that their organizations are well positioned for the threats of tomorrow, and more than one-third say an inadequate budget is one of the top three cybersecurity challenges.³

 

Cyber risks can manifest in many ways and the CFO is uniquely positioned to quantify these risks and estimate the cost of an incident. By working collaboratively with the CISO, the CFO can better understand the probability and exposure to risk, set metrics on spending and ROI, and communicate recommendations for prioritizing cybersecurity spending.

 

This approach reinforces that cybersecurity investments are not only proactive but also aligned with the organization’s strategic goals and risk tolerance.

 

Questions to consider:

  • Is our investment in cybersecurity commensurate with our risk profile?
  • Are we investing in the right technology to protect against cyber threats?
  • To what extent does our budget cover incident response and business continuity? 
  • Where do we stand to benefit from additional cybersecurity awareness training for employees?
  • What is our risk exposure and our obligations to third parties and business partners?

2. Cyber due diligence during mergers and acquisitions (M&A)

M&A activities present unique cybersecurity challenges that can lead to unexpected losses. There are several notable examples of where post-deal cyber incidents or data breaches were discovered, resulting in additional costs being incurred by the acquiring company.

As part of the due diligence process, the CFO should work with the CISO to understand the cyber health of a potential acquisition. This helps to prevent the acquirer from inheriting vulnerable systems or latent threats, identify potential integration costs, avoid unforeseen liabilities and facilitate smoother post-merger integrations.

Questions to consider:

  • What is the cybersecurity program maturity level of our target company?
  • How can these risks be mitigated, and how can we protect the company financially and operationally while we integrate? 
  • Are there new regulations that will need to be complied with due to acquiring the target company?
  • Can cybersecurity tools and platforms be consolidated to reduce costs and enhance security measures through shared leading practices?
  • Are there any deal terms that should be adjusted based on cybersecurity risks and vulnerabilities?
  • Are we prepared to protect our assets pre- and post-transaction?

How EY can help

3. The value of cyber insurance

The right insurance policy can be a financial lifeline in the aftermath of a damaging incident, but there are differing opinions on the value of cyber insurance.

 

In our recent analysis of Fortune 100 company disclosures, 95% of boards referenced response readiness, such as emergency planning, disaster recovery or business continuity strategy.⁴ However, only 25% indicated the company maintains cybersecurity insurance.⁵

 

Deciding which type of insurance to carry requires careful analysis to evaluate the cost benefit of premiums against potential losses. CFOs can work with risk officers and insurers to understand policy terms and assess coverage adequacy and then determine if the organization’s insurance strategy aligns with its cyber risk profile and advise on policy elections and adjustments.

 

Questions to consider:

  • Do we have an appropriate cyber insurance policy in place?
  • What are the terms and limitations of our cyber insurance coverage?
  • How would a cybersecurity incident affect our financial posture?
  • What levers can we pull to improve our insurance coverage and premiums?
  • If we have purchased cyber insurance, have the protocols for utilizing it been added to the business continuity and disaster recovery plans?

4. Financial reporting and disclosures

More than half of boards meet with cybersecurity management at least annually, and in about 80% of the Fortune 100 organizations we studied, cyber risk oversight falls to the audit committee.

Cyber risks related to technology adoption can have significant implications for financial reporting, including the external audit of a company’s financial statements and internal controls over financial reporting. Cybersecurity incidents can also disrupt financial reporting processes, potentially delaying the timely production of financial statements and impacting regulatory compliance.

CFOs should consider advocating for the inclusion of cybersecurity controls within the overall risk assessment and internal control framework to identify gaps and risks that could impact the company’s cyber risk profile. In addition, CFOs should confirm that the company’s 10-K filing accurately reflects its cyber risk management, strategy and governance.

CFOs should consider advocating for the inclusion of cybersecurity controls within the overall risk assessment and internal control framework to identify gaps and risks that could impact the company’s cyber risk profile.

The Securities and Exchange Commission (SEC) cyber disclosures rules require publicly traded companies to disclose a material cybersecurity incident to shareholders and the SEC within four business days of determining it is material by filing Form 8-K. In making the report, the CFO should ensure that the disclosure is accurate, complete, and filed on time.

Collaborating across functions, including the legal and compliance teams as well as with the CISO, becomes critical so that disclosures are informed by the latest cybersecurity risk management practices. We have found that practicing responses to simulated incidents, particularly those that would be determined to be material, is an effective way for CFOs to understand their organization’s level of preparedness and agility during a real-world event, and an important method in testing disclosure processes.

Questions to consider:

  • What are the disclosure obligations in relation to cybersecurity risks and incidents and how do they impact the company’s disclosures and financial reporting obligations?
  • What are the financial implications of noncompliance?
  • How should we balance transparency with the need to protect sensitive information during a cybersecurity incident investigation?
  • Do our internal controls adequately address cybersecurity risks?
  • How do changes in cybersecurity regulations affect our financial reporting and audit processes?
  • How would a cybersecurity incident impact our financial statements?

Clear and accurate disclosures can enhance investor trust and prevent regulatory penalties, positioning the CFO as an increasingly important stakeholder in the organization’s cybersecurity preparedness. By providing oversight and direction on the organization’s cybersecurity risk management program and reinforcing this tone from the top across the business, the CFO can sponsor a cyber strategy that enables the organization to navigate cyber complexities with confidence.


Summary 

Cybersecurity risks can greatly affect a company’s financial reporting. By recognizing cybersecurity risk as a business concern, CFOs can work with other leaders and the board to understand the risks and inject effective management. This not only helps protect the company’s assets but also complies with regulations and fosters trust in investors and stakeholders.

About this article

Authors

Related topics
Assurance

Related articles

Cybersecurity oversight disclosures: what companies shared in 2024

See how cybersecurity-related disclosures have changed since 2018 and what boards are doing to enhance cybersecurity risk oversight.

15 Oct 2024 Barton Edgerton + 1

Technology assurance: assess risk, build trust and create resilience

Three actions to build confidence, transparency and resiliency while managing technology risk now and into the future. Read more.

16 Sep 2024 Daryl Box + 2

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
    You are visiting EY us (en)
    us en