Why investing in cybersecurity simply grew to become a ‘must-have’ for CFOs

For CFOs, this is no longer a back-office IT issue; it’s a balance sheet, liquidity, and disclosure risk.

“We’re in the midst of annual planning cycles and insurance renewals, which makes this the critical window for CFOs to reassess vendor cyber resilience and coverage adequacy,” Joy Mbanugo, CFO of CXApp Inc., a workplace experience and employee engagement platform, told me. “Investing in cybersecurity is no longer a nice-to-have; it’s a must-have, right alongside AI investment, given the geopolitical landscape we’re operating in today.”

CXApp is treating vendor cyber risk as a material enterprise risk, integrating resilience assessments into its framework, updating incident playbooks, and aligning insurance coverage with vendor exposure, according to Mbanugo. “It’s essential to safeguard sensitive data and maintain stakeholder trust, which means moving from reactive incident response to proactive risk quantification with the same rigor we apply to any material balance sheet risk,” she said.

But the issue extends well beyond any single geopolitical flashpoint. J. Michael Daniel, president and CEO of the Cyber Threat Alliance, told me that CFOs should maintain continual diligence in cybersecurity regardless of the moment. Daniel joined CTA in 2017, after serving as the White House’s cybersecurity coordinator. Before that, he spent 17 years across administrations in senior roles at the Office of Management and Budget.

“The threat landscape continues to evolve,” he said. Financial institutions, because they are where the money is, “are always going to be in the crosshairs,” he said.

That persistent risk, he argued, demands clearer communication at the top. Daniel drew a comparison between how a CFO communicates with the board and how cybersecurity leaders should.

The board is not interested in every detail of “how did we calculate the depreciation on the four assets in Indiana?” he said.

Instead, they want the broad picture: “Has the CFO done a good job at managing financial risk? And can the CFO explain, in plain English, how they are managing that financial risk for the company?”

The same should be true from a security perspective, Daniel said. Chief security officers, CISOs, and CIOs should clearly explain what they’re doing, where they’re investing, how they’re transferring risk through cyber insurance, and which risks they’ve chosen to accept—and whether that approach is evolving as threats change.

Still, even the best board-level strategy won’t prevent every incident. Large-scale attacks are a concern, but so are employee-targeted phishing and other social engineering attacks, which often serve as the entry point.

“The truth is the things that we cybersecurity professionals typically tell you to do is not rocket science,” he said. “It’s kind of like what your grandmother told you: If it’s too good to be true, it probably is,” he said.

Adversaries play on emotions and create urgency, Daniel said. If a message feels rushed, double-check it.

Part of CTA’s recommendations is a campaign called “Take Nine.” The idea is simple: take nine seconds before you respond, Daniel said.

Then verify the request through another channel—if it came by email, text or call; if by text, send an email. That pause and cross-check is one of the best ways to reduce the risk that a social engineering attempt succeeds, he said.

In this environment, it seems the CFOs who fare best will be the ones who treat cybersecurity as a core risk discipline, and not a technical footnote.

Sheryl Estrada
[email protected]

Leaderboard

Kenneth (Ken) Sharp was appointed SVP and CFO of L3Harris Technologies (NYSE: LHX), a defense contractor, effective March 16. Sharp, 55, brings more than 30 years of financial leadership in defense and technology. He succeeds Ken Bedingfield, who will focus on leading the Missile Solutions segment as its president. Sharp joins L3Harris from Peraton Inc., where he served as EVP and CFO. Before that, Sharp was CFO of DXC Technology, and CFO of Northrop Grumman’s Defense Systems business.

Brad Hill was appointed CFO and EVP of transformation at Red Lobster, the seafood restaurant brand. Hill will lead Red Lobster’s finance organization, along with leading the company’s strategic real estate efforts. He previously held multiple executive roles at P.F. Chang’s. Hill succeeds Bob Baker, who has departed the company. 

Big Deal

E*TRADE from Morgan Stanley clients were net buyers in five of 11 sectors in February, with a good portion of the buying occurring in areas of the market that sold off amid AI disruption concerns, according to the firm.

The sectors with the most net buying were financials (+6.33%), communication services (+2.39%), and tech (+2.03%).

“The financial sector was the S&P 500’s weakest performer last month, with brokerage and insurance stocks among the groups experiencing AI-related sell-offs, at least briefly,” Chris Larkin, managing director of trading and investing, said in a statement. “Clients also appeared to be buying the dip in some of the tech leaders that suffered similar setbacks.”

Meanwhile, the sectors with the highest net selling were consumer staples (-8.01%), energy (-7.63%), and utilities (-3.96%)—“a possible case of selling into strength, as all of them were among the month’s strongest performers,” he said.

Going deeper

“Reporting Cybersecurity Risk to the Board of Directors” is a white paper by ISACA, a global professional association focused on IT governance, risk, security, audit, and privacy. The paper covers key topics such as cyber risk as strategic risk, oversight programs, legal and regulatory concerns, the role of threat intelligence, and reporting and education for boards.

Overheard

“Executives now face synthetic threats from two directions: their likenesses cloned to authorize fraudulent transfers or inflict reputational harm, and AI-generated voices impersonating government officials, board members, and business partners used to manipulate them.”

—James Richardson, a senior managing director at the global law firm Dentons, writes in a Fortune opinion piece titled, “Boards aren’t ready for the AI age: What happens when your CEO gets deepfaked?”