by Brian Veloso, Managing Director at SAP Concur Canada

Increasing cyber risks are reported by seven in ten (72 per cent) leaders in the World Economic Forum’s Global Cybersecurity Outlook 2025 – with the average global cost of a data breach hitting $4.4million, according to IBM. In Canada, the stakes are even higher,  the average cost of a breach has climbed to CA$6.98 million, underscoring the significant financial exposure Canadian organizations face.

Against this backdrop, attitudes towards cyber risks are changing. SAP Concur research shows that leaders now see a lack of cyber protection as a financial risk, not just an IT problem – with 59 per cent of Chief Financial Officers (CFOs)planning to increase their cybersecurity budget.

That’s because the risk associated with a lack of protection is significant – from regulatory fines, to downtime, and revenue impact – for businesses of all sizes.

While it doesn’t fall under their traditional jurisdiction, CFOs are uniquely positioned to improve the security posture of their organization. Let’s explore how and why this role should weigh in on the conversation to improve cyber resilience.

Taking control of data access

While responsibility for financial assets and information ultimately rests with the CFO, employees often require access and control to do their jobs – for example, accounting teams inputting into Profit and Loss (PNL) statements.  

Yet, as employees increasingly use their own technology to do business – from mobile phones to home Wi-Fi – there’s a growing risk for vulnerabilities.

Every personal device or system has an associated risk, and it requires a corresponding plan for mitigation. The CFO has a vital role to play in protecting and governing an organization’s financial data – even without the same technical expertise as IT teams. 

Here are four ways CFOs can safeguard data access controls for company financial data:

• Multi-factor authentication (MFA): Adds another layer of verification, besides usernames and passwords, mitigating the impact of stolen passwords.
• Single sign-on (SSO): Limits the number of usernames and passwords users need by centralizing identification systems.
• Strict password requirements: Increasing the complexity of passwords can discourage easily guessed, simple or repetitive passwords.
• Role-based access controls: Employees can be assigned different levels of access based on their roles. This means users can only access authorized systems and data.

Implementing varied and secure controls on data access shields businesses from unauthorized parties accessing critical information through attacks. For example, malware designed to exploit employee vulnerabilities to gain network access. 

Sharing knowledge beyond finance teams

Human error remains the biggest cybersecurity concern for leaders, and 43 per cent of IT leaders cite phishing and social engineering as critical vulnerabilities. 

Improving employee awareness of cybersecurity is vital, but it’s not up to IT teams to manage alone.

Financial leaders have unique skills and knowledge to bring to the table that can help improve their organization’s wider understanding – from trend forecasting, to considering the financial impact of cyber attacks.

With almost a third (29 per cent) of IT leaders flagging inadequate employee training as a main cybersecurity threat, there’s scope for CFOs to broaden employees’ existing cybersecurity knowledge. Alongside their unique perspective, financial leaders can ensure employees understand how to protect sensitive financial data – regularly sharing the latest on security protocols, access controls, and compliance requirements.

Collaborating on business decision-making

Purchasing new technology poses a security risk – one that now requires consideration from the whole C-suite.

Organizations are constantly weighing up the benefits and risks of adopting new tools. For example, IBM found that 97 per cent of AI-related security breaches involved AI systems that lacked proper access controls.

The expertise of financial leaders allows organizations to understand the financial impact of the associated risks from new technology investments.

However, though CFOs can help inform tech purchasing decisions for the better, only 20 percent of finance heads plan to enhance collaboration with the CISO to drive cybersecurity improvement. Working alongside transformation officers is one example – with CFOs assessing financial loss protection against the upside of seizing competitive advantage.

Companies cannot afford to miss the opportunity for finance leaders to work with CISOs and the rest of the C-suite on cybersecurity. Finance and technology leaders can collaborate to assess new technologies to provide a balanced consideration of the benefits and risks.

If in doubt, bring in a third party

Being the financial leader of the C-suite holds a lot of responsibility. Yet, when it comes to cyber security concerns, CFOs don’t have to face them alone.

Help can come in the form of third-party auditors, who can validate security practices and give an unbiased view of the organization’s current cybersecurity posture – pointing to any gaps in cyber defenses. Additionally, third-party vendors can authenticate financial and security controls, helping to set rigorous, company-wide standards that protect data.

As the cybersecurity landscape continues to evolve, too will the role of the CFO and their involvement in digital protection. By being part of these conversations from the get-go, financial leaders can offer a unique perspective – one that only they are able to bring to cybersecurity decision-making.