ResponsibleBusiness
Cyber security is financial security
Cyber threats are no longer solely the preserve of IT and technology teams. They are a real and present financial consideration, too, as Richard Crump finds out
When cyber criminals struck major UK retailers Marks & Spencer, Harrods and the Co-op earlier this year, it was a stark reminder of how vulnerable even the most sophisticated organisations can be, and the severe financial toll such breaches can inflict.
M&S alone disclosed a £300m hit to its operating profits this year – equivalent to roughly a third of its projected annual profit – stemming from supply chain disruption and customer orders through its website being down for almost seven weeks before resuming in June.
For finance directors, this is more than just headline-grabbing drama. It underscores a critical truth: cyber security failures now constitute material financial risk. The losses are not hypothetical – they are cash impacts to the bottom line.
“The scale of the threat is unprecedented, and the recent attacks show that even established, well-resourced companies, are vulnerable,” said Vimal Raj Sampathkumar, UK technical head at IT software business ManageEngine.
“Cyber security has become a boardroom issue. It is a financial, legal and operational risk because the business’ continuity is at stake,” he added.
There’s a reputational component for boards to think about too, says John Toon FMAAT, technology strategy lead at Beever & Struthers.
“We have an obligation to keep our clients’ data confidential and secure,” he said. “If you don't do it, then you run the risk of turning into a Daily Mail front page.”
Cyber security has become a boardroom issue. It is a financial, legal and operational risk because the business’ continuity is at stake.
A growing threat
Meanwhile, ransomware and cyber attack losses in the UK are continuing to climb. There were an estimated 19,000 ransomware attacks on UK businesses last year, according to the government's cyber security survey.
And recent data from security vendor Sophos found that the average total recovery cost for UK businesses after a ransomware attack, excluding ransom payments, increased last year to $2.58m (£1.94m), up from $2.07m the year before.
“A cyber attack is one of the few devastating external events that can have massive financial problems,” Andy Burghes, CTO enterprise at NETSCOUT, said. “Data breaches are happening to everybody all of the time, it’s almost becoming normalised.
Sophos revealed the findings in its latest report, The State of Ransomware in the UK 2025 (see stats, below). Based on a study of 201 UK ransomware victims in the past year, the report also found the size of ransomware payments doubled in the last year to $5.20m.
Ross Brewer, vice president at threat detection and incident response company Graylog, said the increase in ransomware payments has driven an exponential increase in the number of organised criminals coming into cyber crime.
“There is a sophistication in the supply chain. This is no longer individual actors– there are organisations that sell services to hack companies,” Brewer said. Criminals can now “make money with very little skill from operators who work on shared risk and shared profit”, he added.
Image: SHUTTERSTOCK
Understand the threat
Richard Seiersen, a cyber security and risk management expert at Qualys, said that CFOs should work with their security team or chief information security officer (CISO) to understand the value at risk from such an attack.
Rather than having a risk manager purchasing insurance for the most limit, or cover, for the least amount of premium, CFOs need to be looking at the “residual risk given what the perils are from business disruption, data breach and extortion”, Seiersen said.
Seiersen said finance needs to have their “finger on the pulse of what the business stands to lose” and know the layers of defence both in terms of the spend on protection, transfer of risk – whether by insurance and capital reserves – and overall resilience.
At the heart of this is the ability for finance to model the value at risk from a catastrophic business disruption to revenue generation, how long the organisation could be plausibly down for, the speed of recovery and the impact to cash and market cap.
“Security investments should be seen through the lens of business continuity and risk mitigation, not as technical line items,” said Jones.
Toon agrees, noting that too often cyber security is treated similarly to “when you get your house burgled”.
“That's when you get a burglar alarm and you take security a little bit more seriously,” he explained. “But of course, it’s a little bit late then.”
Stats and vulnerabilities
The proportion of ransomeware incidents affecting UK businesses stemmed from exploited vulnerabilities – the most common method of attack.
Source: Sophos
This was followed by phishing and other malicious emails at 26%.
Source: Sophos
The proportion of UK businesses that experienced ransomware attacks which identified a lack of security expertise as a factor.
Source: Sophos
The proportion of UK businesses which said they lacked the necessary products and services to avoid becoming victims.
Source: Sophos
Not just any cyber attack…
In the case of M&S, the attack was attributed to the hacking collective Scattered Spider. It emerged days before similar cyber attacks were reported against the Co-op – which was forced to shut down parts of its IT system – and Harrods.
M&S admitted that some personal customer data was taken during the attack and saw its stock tank by 15%, wiping almost £750m of its market capitalisation – although this has since recovered.
However, the company said it had more than £400m of net funds in the bank and aimed to halve the financial impact of the attack to about £150m through insurance, cost reductions and other actions.
“From reputational damage and operational downtime to share price impact and regulatory penalties, the financial exposure is immense,” Alan Jones, cyber security specialist and chief executive of YEO Messaging, said.
War gaming and scenario planning
Finance leaders should consider whether budgets support organisational resilience as well as regulatory compliance and assess if IT teams have the necessary resources.
To do this CFOs and CISOs need to be “talking the same language”, Burghes at NETSCOUT said.
“CISOs need to be able to articulate to finance what they need and why they need it to minimise that risk for the right amount of money,” he added.
It is also crucial to ensure there is board-level visibility of cyber risk by making sure it is regularly reviewed by the audit or risk committee, and that cyber resilience is included as part of internal control reporting.
Raj Sampathkumar said scenario planning can be “very powerful”.
He gives the example of one retail CFO who introduced “quarterly tabletop exercises” that included IT, HR and legal, to run simulations to uncover real gaps and improve coordination.
“Especially working with IT, finance can build worst case scenarios to turn cyber risk into something that can be measured, modelled and can often be mitigated in the future,” he said.
> SOCIAL ENGINEERING
Social and human aspects
In the case of M&S, the company said the hack was not caused by a weakness in its IT systems or cyber defences but was the result of human error. Access had been gained via a third-party supplier that managed M&S’s helpdesk among other IT services.
“Finance teams think they can outsource and run with cloud and third-party operators, but you have got to take responsibility for your infrastructure and business because the outsourcer is not going to,” Graylog’s Brewer said.
Cyber criminals were able to access the retailer’s systems through so-called social engineering tactics, whereby criminals trick staff into changing passwords and resetting authentication processes to gain access.
“It's not just about system vulnerabilities anymore; it's about exploiting trust – through impersonation, phishing and social engineering. These aren’t gaps you can patch with software alone,” Jones at YEO Messaging said.
Lucy Finlay, director of secure behaviour and analytics at ThinkCyber, said finance leaders need to be modelling good security behaviours and making sure that financial employees are aware of how attractive they are to cyber criminals.
“Finance teams should be integrating security into every step of their workflows, whether that be nudge software to help them make the secure decision in the moment, or implementing separation of duties for key financial processes,” she said.
Sharpen your tax skills
20 November and 6 December
Stay cs nonserovid modit quam sequid et ad utet eatem nem autam, coreici sum nos cus, qui ut volorem del intus aut perro ideliat iosaestio occaborios erum solupta ecullore, sus nem quas ene derfernamet viduciur modicia quosice.
