Our latest survey of 530 UK CFOs across sectors found 82% expect cyber breaches to threaten business continuity and operations within the next 12 months. Only 36% feel ‘very confident’ in their business’ ability to manage cyber risk.
It’s no surprise finance leaders are concerned. At its core, cyber risk is financial risk. Whether it’s a website outage at peak trading, a halted production line, or a data breach triggering fines and litigation, the impact flows straight to the bottom line.
In this insight, Michael Woodbridge, Business Consulting Partner, unpacks the hidden costs of cyber incidents that often don’t make it into forecasts, how to budget for a risk that is constantly evolving, and the practical groundwork CFOs can make sure is in place to avoid being caught off guard.
The hidden costs of a cyber incident
All CFOs understand that a cyber incident can cause downtime. Fewer have a full view of the longer-term impacts.
The damage that follows is easy to underestimate and often harder to forecast, which is exactly why it's worth mapping before an incident forces the issue.
1. Operational disruption
Scenario planning exercises often focus on the downtime on day one but don’t account for the extended tail – the reduced capacity, slower processes, and manual workarounds – that can run for weeks or even months.
2. Third-party obligations
Service level agreements, supplier dependencies and just-in-time supply chains all allow for one incident to cascade through multiple businesses down the supply chain. Missed obligations trigger penalties.
3. Thorough remediation
It takes longer than people expect to properly close an attack down. Attackers often leave back doors: logic bombs set to trigger later and residual access points that aren’t immediately visible.
Proper remediation means being certain the threat is fully gone rather than just contained.
4. Transformation programmes
Cyber incidents often uncover pre-existing weaknesses that need to be addressed. In some cases, this triggers multi-year transformation programmes and a need to redesign the business’ entire network.
Making long-term fixes properly costs money, and budgets often lack the flexibility to absorb it.
5. Insurance gaps and legal costs
Cyber insurance is important, but it rarely covers everything.
Legal fees – whether a fine from a regulator, group litigation, or both – can add significant additional costs. There are examples of businesses facing both an ICO investigation and a law firm aggregating affected individuals into a group claim.
6. The people impact
During a major incident, security teams work around the clock. Burnout sets in, key people leave, often including whoever leads on security, and external contractors are brought in at short notice and at a high cost. The result is that when the dust settles, the business now also faces an HR challenge that hadn’t been budgeted for.
Strong cyber defences require people, process and technology. Don’t underestimate the people dimension.
7. The cost of compliance
The Cyber Security and Resilience Bill, progressing through Parliament, will impact a wide range of businesses that deliver, support, or enable the UK’s essential services and digital infrastructure.
If this applies to your business, compliance will carry a cost: assessment, audit trail maintenance, and reporting infrastructure will all require time and investment.
Compliance should never be mistaken for meaning 'we’ve done enough’. The businesses we consistently see fare worst in incidents, both in regulatory proceedings and in courts, are the ones that confuse ‘compliance’ with security. Compliance should create the floor, not the ceiling.
How do you budget for a risk that won’t stand still?
Every business would prefer a predictable, stable budget. Today’s threat landscape doesn’t allow for it.
For several years, the average cost of a data breach rose steadily. Last year, it decreased by 9% to $4.4 million (IBM, Cost of a Data Breach 2025) as businesses used AI to detect anomalies faster and respond more quickly.
Mean time to detect and mean time to recover – the two factors that most directly determine financial impact – both improved.
However, AI is not only improving defence. It’s also accelerating the speed and scale of attacks. Frontier models are being used to identify undiscovered vulnerabilities at at pace, exposing systems that had appeared stable for years overnight.
For finance teams, this creates a complicated picture. AI could reduce the cost of a well-managed incident, but it also increases the probability of unexpected events and compresses the time available to respond. In other words, the severity of losses might fall, but the volatility of risk increases.
Factor in longer-term developments such as quantum computing, which will eventually challenge current encryption standards, and it becomes clear why CFOs might be feeling a sense of fatigue. New threat, new urgency, new budget request.
In response, we’re seeing a shift towards:
1. A reserve for the unknown. Ring-fencing a proportion of the security budget for threats that are not yet visible at the point of planning, creating more flexibility to respond to emerging risks without needing to re-open the entire budget
2. Rolling forecasts, not rigid plans. Rethinking rigid multi-year IT security commitments – with, instead, a focus more towards flexible, rolling forecasts that allow security teams to escalate new risks for rapid financial review, rather than waiting for the next annual cycle.
3. Funding recovery, not just defence. Directing a greater share of the security budget towards recovery rather than prevention alone. The aim is to fund the ability to keep operating through an incident and recover quickly, on the basis that some attacks will get through regardless.
Building a stronger Cyber-Finance relationship
A more flexible budgeting approach is only effective if the CFO understands what's being escalated and why, and what a proportionate response looks like. That's where many businesses still come unstuck: Cyber and Finance are speaking different languages.
Cyber teams often frame budget requests or risks in technical terms – a need to ‘upgrade our Active Directory’, for example – without translating them into the EBITDA or revenue impact a CFO can weigh up. The business case never lands, the budget gets cut, the conversation ends, and the risk remains. Both teams are frustrated.
The solution runs both ways. Cyber teams need to make their case in financial language, but CFOs also need to make sure they’re asking the right questions.
Laying the groundwork before you need it
The board's questions after a cyber incident can only be answered with confidence if the groundwork is done well before it.
These are often areas that don’t get enough attention. They’re easy to put off when no incident is in sight, and painful to be caught short on when one arrives.
Each is worth questioning, documenting, and then regularly revisiting.
1. An up-to-date inventory of financial system dependencies
Which systems are business critical? What depends on what?
If one core platform goes down, what stops immediately, what can be manually worked around, and what breaks after 24 hours, 72 hours or one month?
2. A quantified view of business-critical processes
By extension, you need to understand the financial impact of disruption over different time horizons.
That allows the business to prioritise recovery decisions on a financial basis, not just a technical one.
3. A map of cyber insurance coverage
Most CFOs know their business has cyber insurance. Far fewer know exactly what is covered, what is excluded, and what notification requirements apply.
You don’t want to wait until a claim scenario to understand the details.
4. Visibility of vendor and supply chain contractual obligations
What are your contractual commitments? Where are the penalty clauses? Which suppliers, if compromised, would create a material issue for you?
5. A board-level incident response exercise
When an attack happens, the board needs to know who to call, who owns which decisions, and where to find critical information, including if email and internet access becomes unavailable.
Running a scenario exercise is one of the highest-value, lowest-cost investments you can make in cyber resilience.
6. Clarity on who owns cyber risks
It's easy to assume that the security lead, whether that's a CISO, an IT director, or an outsourced provider, owns every aspect of cyber. They don't, and they can't.
They can advise on how to protect data, but they can't know every piece of data that Finance and every other part of the business holds, where it sits, or which connections to the outside world matter most. Each function needs to own its data and flag what's sensitive. Where that line isn't clear, risk often goes unowned, and unowned risk goes unmanaged.
Make sure ownership is explicit: agree who's accountable for each material risk, and see that those decisions are written down, not left implied.
Culture: the variable that underpins everything else
Some businesses treat security as a first principle. Secure-by-design thinking is embedded into product development, operational processes and strategic decision-making. Others treat it as a cost centre to be reduced, a compliance burden to be minimised, or a specialist function that only gets involved after something has gone wrong.
This difference will decide whether everything else in this article lands. You can map every dependency, document every decision and run every scenario, but if the culture isn’t right, you will still be vulnerable.
The CFO isn't the sole driver of culture, but they do have real influence over it.
- Do finance and cyber talk regularly and openly, or only at budget time and during incidents?
- How are security budget requests received: as risks to understand, or costs to cut?
- Are day-to-day, risk-based conversations typically welcomed or deflected?
- Is documenting risk decisions treated as bureaucracy, or as the important risk management it actually is?
- Does the board engage with cyber risk meaningfully, or does it sit permanently in the 'too technical' pile?
CFOs can't eliminate all cyber risk, and it isn't their role to. But they can demonstrate that they understood the risks, worked with the business to make defensible decisions about them, and built the foundations to respond well if an incident does happen.
If you're a finance leader trying to get to grips with your role in cyber on top of an already packed agenda, you don't need to do it alone. Reach out to Michael Woodbridge to see how we can help.
