CFOs – the forgotten ally in the fight against ransomware

Justin Vaughan-Brown, VP Market Insight at Deep Instinct


Ransomware attacks have nearly doubled in the past couple of years. According to a new report from an international law firm the number of ransomware attacks reported to the Information Commissioners Office (ICO) went up within a year from 236 to 654 in 2021.  With threat actors using increasingly advanced methods to launch attacks, organisations are too often financially unprepared when disaster strikes.

Apart from taking a mental toll, cyber-attacks put significant financial burdens on an organisation. Our own research among the C-Suite and IT security decision makers revealed that last year, UK-based organisations paid an average ransom of £3 million. While the decision to pay the ransom should fall on the shoulder of CEOs and CFOs, in many cases the latter were side-lined from the decision-making process. In only 14% of cases, financial officials play an active role in making final decisions around paying ransoms. This is an alarming proposition, as ransomware at its core is a financially motivated attack.

The unmasking of this vast disconnect in ways that the management team determines the risks and aftermath on their organisations after a cyber-attack, reveals a potentially risky misalignment of understanding and priorities when it comes to securing their organisation. So why do CFOs feel that their organisations are not prepared to face a cyber-attack and how does the CFO’s perception of the company differ from that of the CEO?

Justin Vaughan-Brown

Why do CFOs feel their firm is ill-prepared against cyber-attacks?

One of the core challenges is the financial cost gap between those willing to pay a ransom and those who paid a ransom. Those who were willing to pay a ransom demand vastly underestimated the cost. For example, respondents who would be willing to pay a ransom in the future, estimated that the pay-out would cost, on average, £760,000; however, in reality the average amount paid was four times higher – standing at £3 million. In addition, it was revealed that only 32% of organisations were able to recover their entire data and show positive outcomes after the ransomware attack.

While CFOs of a company play a major role in boosting the morale of an organisation, CEOs are expected to exude confidence in their organisation. If CFOs do not assume their place in the team to help fight cyber-crime, then the organisation develops a false sense of security. This leads the CEOs and other members of the organisation to believe that they can effectively fight malware gangs.

Due to the plummeting number of financial officials being involved in the risk assessment of cyber-attacks on their organisation, fewer and fewer CFOs feel confident enough to state that their organisations are prepared to withstand a cyber threat. CFOs have also been excluded from making the decisions of paying ransom to malware gangs despite it being a financial issue.

For example, 56% of respondents stated they had paid the ransom to recover their data, with only 14% claimed that their CFO had made the decision – in the other 29%, the CEO had been in charge. Given the fact that there is a true monetary risk to such decisions, it’s essential that CFOs and financial executives should have a critical role in these decisions.

Moreover, only 12% of CFOs are actively involved in the risk management processes and hence only 14% feel their organisation is prepared to withstand a cyber-attack. On the other hand, 63% of CEOs are under the impression that their organisation is well prepared for it.

A wake-up call for the exec suite

From the organisations we spoke to, nearly two-thirds of the respondents confessed that their business had endured a ransomware attack. With the increasing number of cyber-attacks, it has become essential for an organisation to assess the impact a cyberattack may cause. Threat actors provide no assurance that all the data that has been encrypted will be returned even after a ransom is paid. In such cases, it would be important to have an estimate on the losses incurred.

Only 38% of respondents seemed confident in evaluating monetary value to the data within their organisation and analysing the potential impact of the loss. But 48% of organisations revealed inadequacy and inaccurate assessment of the cyber-attack and in some cases, no assessment at all.

Firms should initially analyse the monetary risks of a ransomware attack and response accurately to understand the true cost of any decisions, or else they will fall into the pit of false security after the true cost of the ransom is revealed. It’s imperative that senior executives at all levels should be a part of the ransomware response strategy and all relevant decision-making processes. Afterall, they all have a role in making sure that the business is buoyant and prepared in the face of adversity.  Otherwise, organisations will continue to fill the pockets of cybercriminals, while incurring huge losses themselves.

Explore more