Top Cybersecurity Priorities for CFOs
Here are six key cybersecurity areas CFOs should be focusing on in 2025, according to experts.
1. Ransomware
Ransomware continues to be a major concern for organizations, as cybercriminals find new and more effective ways to break into systems and force victims to pay up or face consequences such as the exposure of sensitive data.
“Cybercriminals leveraging ransomware not only have a direct financial impact in the form of ransom payments, but also expenses associated with business interruption and damage control due to reputational damage,” says Nicole Joseph, chief operating officer and finance director at law firm CM Law.
“As an evolving threat, ransomware attacks can be managed more effectively by leveraging a proactive defense that includes robust multi-layered security measures, business continuity planning and regular audits,” Joseph says.
2. Cyber Extortion
CFOs need to be aware of the rising threats of cyber extortion, says Charles Soranno, a managing director at global consulting firm Protiviti. “Cyber extortion is a form of cybercrime where attackers compromise an organization’s systems, data or networks and demand a ransom to return to normal and prevent further damage,” he says.
Beyond a ransomware attack, where data is encrypted and held hostage until the ransom is paid, cyber extortion can involve other evolving threats and tactics, Soranno says. “CFOs are increasingly concerned about how these cyber extortion schemes impact lost revenue, regulatory fines [and] potential payments to bad actors,” he says.
Finance executives are a key part of the resolution of these types of events because they will be actively working with chief information security officers and the legal department on decision-making for resolving cyber extortion, Soranno says.
3. Third-Party Risks
CFOs must be cognizant of and prepared for the cyber risks that third parties such as suppliers, contractors and service providers contribute to their organization’s risk profile, says Jeff Krull, principal at advisory tax and assurance firm Baker Tilly.
“As demonstrated by 2024’s CrowdStrike outage, there is an inherent and severe risk associated with heavily integrating large service providers into an organization’s day-to-day operations,” Krull says. “In collaboration with other organizational leaders, CFOs must assess the risks posed by these external partners to identify vulnerabilities and implement a proactive mitigation and response plan to safeguard from potential threats and issues.”
While a deep knowledge of the entire supply chain’s cybersecurity posture might seem like a luxury for some organizations, the increasing interconnectedness of partner relationships is making third-party cybersecurity risk profiles more of a necessity, Krull says.
“The reliance on third-party vendors and cloud services has grown exponentially, increasing the potential for supply chain attacks,” says Dan Lohrmann, field CISO at digital services provider Presidio. “CFOs must ensure that cybersecurity strategies encompass rigorous third-party risk assessments, including regular audits and compliance checks.”
4. SEC Requirements
New cybersecurity disclosure requirements by the U.S. Securities and Exchange Commission look to provide investors with information about companies’ cyber risk incidents as well as mitigating processes over cyber risk, Soranno says.
“Cybersecurity threats and incidents pose an ongoing risk to private and public companies,” Soranno says. “The requirements by the SEC are designed to protect public company investors as cybersecurity events can have a substantial impact on financial health.”
Adopted amendments increase reporting and disclosure requirements for SEC-registered companies, Soranno says. For example, material cyber incidents must be disclosed in a public 8-K filing within four business days.
“CFOs will need to partner with cybersecurity counterparts to make sure they have appropriate processes in place to meet the disclosure requirements when a cyber incident occurs,” Soranno says.
5. Employee Access Controls/Insider Threats
Whether intentional or accidental, employees can perform actions that put their organizations at risk for data breaches and other incidents.
“In 2025, organizational leaders must recognize the risks of insider threats and work to mitigate them through employee access controls,” Krull says. “Insider threats pose a catastrophic cybersecurity threat to organizations and are often difficult to trace.”
Companies should develop best practices in building employee access controls and evaluate the best structure for their organization, Krull says. “This requires a deep understanding of your network’s data and access points along with clear communication with employees on best practices,” he says.
While the implementation of zero-trust security and least privilege models — which assume that no device on a network is trustworthy and access should be limited only to what users need — is important to minimize risk, these models do not eliminate insider threats, Krull says.
“CFOs and [other] organizational leaders must work with their IT team to continually monitor and update their internal cybersecurity strategy to best ensure protection,” he says.
6. Ongoing Investments
The cybersecurity landscape constantly changes, and standing still is not an option. Organizations need to make ongoing investments in the latest tools and services as needed, to keep up with the threats.
“From cybersecurity insurance to incident response plans to employee training [to] data loss prevention, cybersecurity investments will need to be ongoing budgetary items to mitigate cyber risks that could potentially threaten the financial position of the firm,” Joseph says.
CFOs need to bridge the gap between cybersecurity and financial risk by quantifying potential cyber threats in monetary terms, Lohrmann says. “Understanding the financial impact of breaches, downtime or data loss enables better decision-making and prioritization of cybersecurity initiatives. This approach ensures that cybersecurity is viewed as a critical financial concern rather than a technical issue, aligning security investments with business goals and shareholder expectations.
This article was written by Bob Violino from CFO.com and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to legal@industrydive.com.
