Brian Jackson - stock.adobe.com

Most CFOs being left out of ransomware conversations

Barely a tenth of CFOs are actively involved in planning for cyber attacks, according to a report

Chief financial officers (CFOs) and their equivalents are finding themselves left out of conversations around risk management and cyber security protection, even though over half report their organisations have experienced ransomware attacks.

This is according to new data compiled from hundreds of interviews conducted by Sapio Research and deep-learning specialist Deep Instinct, which said that only 12% were taking an active role in planning for ransomware attacks.

The exclusion of financial leaders would appear to be seriously affecting confidence in their business’ cyber posture. A clear majority of 69% said they did not believe their boards were taking cyber and associated risks seriously enough, and just 14% believed their businesses were well-prepared for a cyber attack, in contrast to 63% of CEOs.

Deep Instinct said its findings laid bare a disconnect in how business leadership communicates and collaborates on cyber risk.

“Cyber criminals and organisations usually have a common goal – financial reward – and each day a new ransomware attack hits the headlines, one of the first questions among executives is, ‘How much is it going to cost to get back the data?’” said Deep Instinct CFO Heather Bellini.

“It is vital for organisations to take the task of quantifying the financial risk of cyber attacks seriously and ensure it is accurate, otherwise they can fall into the trap of having a false sense of security and being blasé when it comes to the true cost.

“This is why it is so important that all senior and strategic roles within the business have an active and equal responsibility in ensuring their business is resilient and well prepared.

“We talk in the industry about breaking down siloes and cyber security no longer being the sole remit of the IT team, but this isn’t translating into meaningful action. Until this changes, organisations will continue to be counting the costs of breaches and lining the pockets of cyber criminals.”

The study identified a further gap between CFOs’ estimates of ransomware demands and the reality of payments. Deep Instinct said 56% of CFOs that responded to its study reported their organisations had paid a ransom for the return of their data – and a third had received nothing – with an average payment of £3m, but CFOs tended to expect they would pay an average ransom of just £760,000. Additionally, when a ransom was paid, the CFO had input into the final decision in just 14% of cases.

Coupled with the fact that only just over a third of respondents could confidently place a monetary value on their organisation’s data, Deep Instinct said this highlighted a clear need for financial leaders to make their voices heard, and ensure rigorous financial planning is conducted.

Guy Caspi, CEO of Deep Instinct, said: “While it may be shocking to see how prevalent and successful ransomware attacks are, I believe we are only seeing the tip of the iceberg. With nearly two-thirds of organisations admitting to being hit by ransomware, you can’t help but wonder how many have stayed under the radar, especially when it continues to be so profitable for attackers.

“From a corporate governance perspective, much more needs to be done to ensure that all stakeholders are truly cognisant of not only the risks to their business, but also in the full potential of financial and other business impacts that come from being successfully attacked.”

Read more about risk and planning

  • When it comes to critical infrastructure cyber security, the stakes are uniquely high. Assessing associated cyber-risk, in turn, is uniquely challenging.
  • In the first in a series on cloud-era disaster recovery, we provide a step-by-step guide to building firm foundations for the disaster recovery plan, with risk assessment and business impact analysis.

Read more on IT risk management