This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
  • BDO’s top ten things CFOs should do immediately about cyber security

BDO’s top ten things CFOs should do immediately about cyber security

01 October 2018

October Cyber Security Awareness Month 2018 


 BDO has conducted throughout 2018 discussions with CFOs from hundreds of global

industries, including financial services, healthcare, government contracting, automotive,

manufacturing, private equity, and law firms. In these conversations, it became apparent

that CFOs are frustrated by a ‘knowing’ versus ‘doing’ gap. This is understandable, since

most C-Suite or Board members Directors never receive appropriate cyber security

education and training. 

CFOs need not become a Certified Information System Security Professionals. Rather,

CFOs should increase their knowledge of core cyber security concepts and leverage their

own leadership skills to conceptualise and manage risk in strategic terms and how best to

invest their time and resources to improve cyber defence.

 To address this Know/Do gap, BDO provides a list of 10 effective, proactive actions any

CFO can undertake immediately and enhance his or her company’s cyber defence.

Top ten things CFOs should do immediately about cyber security


• Determine what are the organisation’s most valuable information/digital assets:

Cyber-attacks and security breaches will continue to occur and will negatively

impact the business. Today, the average cost of the impact of a cyber breach is

$7.5 million according to the US Security Exchange Commission (SEC).

• Determine how much cyber liability insurance coverage is necessary to

financially protect the company’s assets.

• Determine what their organisation’s risk of a cyber breach is: According to most

cyber security surveys, over 60% of all data breaches originate from

unauthorised access from one of the organisation’s current employees, former

employees, or third-party suppliers. Has your organisation created an insider-

threat program to mitigate the risk of a cyber breach from within the


• Achieving information security compliance with one or more government

regulatory standards for information security (i.e. ISO 27001, NIST 800-171,

HIPAA, NYDFS, AICPA- SOC, etc.) is good, but not sufficient to ensure real cyber

security. What actions should our organisation take to ensure real cyber


• Conduct an independent email and network threat assessment. If one was

recently conducted, then what were the results?

• Obtain an independent assessment of the adequacy of our cyber liability

insurance coverage. Cyber liability insurance premiums are significantly

increasing in cost and often do not cover all of the damages caused by a cyber


• See that managed Monitoring, Detection, and Response (MDR) Managed Security

Services (MSS) are combined, to achieve real information security and data

resilience. Determine if the internal resources to perform MDR work or if these

need to be outsourced.  If so, then how much will it cost?

• Determine if the organisation has comprehensive incident response (IR), disaster

recovery (DR) and business continuity plans (BCP).

• Undertake scenario thinking and ask: If we are attacked by ransomware, would

we pay the ransom? If so, then how much should be budgeted?  Will it be

covered by cyber liability insurance coverage? 


Organizations may not realise how valuable a cybersecurity strategy is until there’s a

vulnerability. BDO wants to make sure your organisation never faces that situation. BDO

professionals are available to provide guidance and specialised resources surrounding any

cyber security issue. To contact BDO's Global Cyber Security Team, visit