Tue, Sep 13, 2022

Chief Financial Officers Ignoring Cyber Risk Worth Millions of Dollars According to Kroll Report

New York – Kroll, the leading independent provider of global risk and financial advisory solutions, today announced its report Cyber Risk and CFOs: Over-Confidence is Costly which found chief financial officers (CFOs) to be woefully in the dark regarding cyber security, despite confidence in their company’s ability to respond to an incident. 

The report, commissioned by Kroll and conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide:

  • Ignorance is Bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organization’s cyberattack response. This is at odds with the level of visibility CFOs have into cyber risk issues, given only four out of 10 surveyed have regular briefings with their cyber teams.
  • Wide-ranging Damages. Nearly three-quarters (71%) of the represented organizations suffered more than $5 million (mn) in financial losses stemming from cyber incidents in the previous 18 months, and 61% had suffered at least three significant cyber incidents in that time. Eighty-two percent of the executives in the survey said their companies suffered a loss of 5% or more in their valuations following their largest cyber security incident in the previous 18 months.
  • Increasing Investment in Cyber Security. Forty-five percent of respondents plan to increase the percentage of their overall IT budget dedicated to information security by at least 10%.

Greg Michaels, Global Head of Cyber Governance and Risk in the Cyber Risk practice at Kroll, said: “We often see that CFOs are not aware enough of the financial risk presented by cyber threats until they face an incident. At that point, it’s clear that they need to be involved not only in the recovery—including permitting access to emergency funds and procuring third-party suppliers—but also in the strategy and investment around cyber both pre- and post-incident. Ultimately, cyberattacks represent a financial risk to the business, and incidents can have a significant impact on value. It is, therefore, critical that this is included in wider business risk considerations. A CFO and CISO should work side-by-side, helping the business navigate the operational and financial risk of cyber.”

David Ball, Managing Director in the Valuation Advisory Services practice at Kroll, said: “Cyber incidents have the potential to cause material damage or impairment to the assets of a company, particularly intangible assets, including intellectual property, customer relationships and brand. It is important for CFOs to understand the impact of cyber incidents on these assets and be in a position to assess and quantify the financial impact and potential risks to the company.”

You can download the full report here.

About Kroll
Kroll provides proprietary data, technology and insights to help our clients stay ahead of complex demands related to risk, governance and growth. Our solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions. With 5,000 experts around the world, we create value and impact for our clients and communities. To learn more, visit www.kroll.com

For more information, contact:
Devonne Cusi
+1 212 450 8199 
[email protected]



Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.

Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.


Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Incident Response Plan Development

You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.


Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.