Cybersecurity is increasingly a CFO problem: Microsoft

Dive Brief:

Cybersecurity has shifted from an information technology concern to one that increasingly carries financial risks falling within the scope of the modern CFO role, according to a new thought leadership piece from Microsoft.
CFOs are becoming more central to how organizations assess and manage cybersecurity risk as incidents increasingly translate into financial loss and operational disruption, the company said in its blog post, adding that recent advancements in artificial intelligence have only accelerated these trends.
“Cybersecurity may once have been managed quietly in the background, but today it is a visible financial leadership challenge shaped by regulation, AI acceleration, and rising expectations from boards and investors,” the post said.

Dive Insight:

U.S. cyberattacks hit a new peak in 2025, resulting in a record 3,322 data compromises, a 79% increase compared with 2020 levels, according to the Identity Theft Resource Center, a nonprofit that tracks and reports on U.S. data breach and identity theft activity.

Cybersecurity now ranks as the biggest external concern for finance leaders globally, surpassing economic conditions and geopolitical tensions, according to SAP Concur’s latest CFO Insights report. “Like a rogue wave, cyber threats have risen sharply to become the top external challenge facing finance leaders,” the report said.

In a high-profile example, Jaguar Land Rover said in January that a cyber incident disclosed in early September continued to weigh on its sales, with wholesale volumes down 43% year-over-year to 59,200 units in the three months ended Dec. 31 versus the same period a year earlier, as reported by CFO Dive sister publication Cybersecurity Dive.

“The cyber incident meant that we had to close down our systems in one of the higher volume months of the year,” JLR CFO Richard Molyneux said in a November earnings call.

IBM reported last year that the average U.S. cost of a data breach was $10.22 million, up 9% compared with the prior year’s level and an all-time high for any region. The spike was driven by steeper regulatory fines and higher detection and escalation costs in the U.S., which occurred even as the average global breach cost fell 9% to $4.44 million, IBM said.

In the current environment, organizations are under growing pressure to move cybersecurity out of siloed technical functions and into enterprise-level decision-making, including risk management and financial planning processes, Microsoft said.

The blog post emphasizes that cybersecurity incidents should be assessed in terms of business impact, including disruptions to operations, cash flow and long-term performance. It calls for closer coordination between finance, security and technology leaders to ensure risks are consistently evaluated and communicated at the executive level.

CFOs are increasingly positioned as key participants in translating cyber risk into financial terms used for planning, governance and reporting, the company said.

The guidance also highlights the need to embed cybersecurity into enterprise risk management frameworks, particularly as companies scale AI adoption.

“Leading organizations are beginning to model cyber incidents the same way they model budgets or supply‑chain disruptions — using scenario‑based approaches to understand downtime, response costs, regulatory exposure, and potential impact on cash flow,” the blog post said.