For CFOs, this is no longer a back-office IT issue; it’s a balance sheet, liquidity, and disclosure risk.
“We’re in the midst of annual planning cycles and insurance renewals, which makes this the critical window for CFOs to reassess vendor cyber resilience and coverage adequacy,” Joy Mbanugo, CFO of CXApp Inc., a workplace experience and employee engagement platform, told me. “Investing in cybersecurity is no longer a nice-to-have; it’s a must-have, right alongside AI investment, given the geopolitical landscape we’re operating in today.”
CXApp is treating vendor cyber risk as a material enterprise risk, integrating resilience assessments into its framework, updating incident playbooks, and aligning insurance coverage with vendor exposure, according to Mbanugo. “It’s essential to safeguard sensitive data and maintain stakeholder trust, which means moving from reactive incident response to proactive risk quantification with the same rigor we apply to any material balance sheet risk,” she said.
But the issue extends well beyond any single geopolitical flashpoint. J. Michael Daniel, president and CEO of the Cyber Threat Alliance, told me that CFOs should maintain continual diligence in cybersecurity regardless of the moment. Daniel joined CTA in 2017, after serving as the White House’s cybersecurity coordinator. Before that, he spent 17 years across administrations in senior roles at the Office of Management and Budget.
“The threat landscape continues to evolve,” he said. Financial institutions, because they are where the money is, “are always going to be in the crosshairs,” he said.
That persistent risk, he argued, demands clearer communication at the top. Daniel drew a comparison between how a CFO communicates with the board and how cybersecurity leaders should.
The board is not interested in every detail of “how did we calculate the depreciation on the four assets in Indiana?” he said.
Instead, they want the broad picture: “Has the CFO done a good job at managing financial risk? And can the CFO explain, in plain English, how they are managing that financial risk for the company?”
The same should be true from a security perspective, Daniel said. Chief security officers, CISOs, and CIOs should clearly explain what they’re doing, where they’re investing, how they’re transferring risk through cyber insurance, and which risks they’ve chosen to accept—and whether that approach is evolving as threats change.
Still, even the best board-level strategy won’t prevent every incident. Large-scale attacks are a concern, but so are employee-targeted phishing and other social engineering attacks, which often serve as the entry point.
“The truth is the things that we cybersecurity professionals typically tell you to do is not rocket science,” he said. “It’s kind of like what your grandmother told you: If it’s too good to be true, it probably is,” he said.
Adversaries play on emotions and create urgency, Daniel said. If a message feels rushed, double-check it.
Part of CTA’s recommendations is a campaign called “Take Nine.” The idea is simple: take nine seconds before you respond, Daniel said.
Then verify the request through another channel—if it came by email, text or call; if by text, send an email. That pause and cross-check is one of the best ways to reduce the risk that a social engineering attempt succeeds, he said.
In this environment, it seems the CFOs who fare best will be the ones who treat cybersecurity as a core risk discipline, and not a technical footnote.
