When cyber resilience becomes a CFO’s challenge

Cyber incidents have evolved from IT problems into financial events with direct implications for capital, compliance and reputation. Australian CFOs are increasingly finding that cybersecurity failures leave a measurable mark on the balance sheet. As breaches at Qantas, Optus, Medibank, Latitude Financial and several super funds have shown, a single compromise can cascade into disclosure obligations, insurance disputes and sustained regulatory oversight. Cyber resilience is now part of financial resilience and CFOs must treat it as such.

Cyber risk is now a capital risk

For Australia's top companies, cyberattacks have become a recurring stress test for balance sheets. In the past three years, the financial impact of cyber incidents has shifted from theoretical to tangible: share price declines, investor class actions, forensic costs and protracted regulatory inquiries.

The Australian Signals Directorate's (ASD) Annual Cyber Threat Report for 2024-25 highlights the persistent threat of malicious cyber activity to Australian companies, underscoring the urgency for all Australian businesses to raise the nation's cyber defences. The latest report said that the average self-reported cost of cybercrime per report for large businesses had increased by 219 per cent to $202,700. However, this figure captures only the immediate response to a single incident; it does not account for the sustained drag on valuation, brand equity and customer trust that follows a highly publicised breach.

In this environment, the CFO's role in cyber governance has expanded. No longer confined to reporting cyber spend as an IT line item, finance leaders are now expected to assess cybersecurity as a key pillar of operational continuity and capital protection. The new question boards are asking is not "How much are we spending?" but "How secure are our financial assumptions if systems go down tomorrow?"

CFOs have traditionally been the guardians of financial controls, risk frameworks and regulatory compliance. But as cyberattacks increasingly target financial data and customer identities, CFOs are finding themselves on the front line of digital risk. Cyber resilience is no longer a "tech" problem. It is a business continuity and capital protection problem, and the CFO is now its custodian.

Why traditional defences no longer suffice

Many CFOs believe that cybersecurity sits comfortably within IT's remit. But this siloed view is increasingly untenable. The majority of successful breaches still exploit the weakest link in the chain, human authentication.

The 2025 Yubico Global State of Authentication report found that 56 per cent of organisations in Australia still rely on legacy password-based logins. While compromised passwords remain a prime attack vector, only 55% say their company uses multi-factor authentication (MFA) across all apps and services.

Modern phishing-resistant MFA solutions, such as passkeys like hardware security keys, eliminate the inherent vulnerabilities of passwords. They use cryptographic authentication that cannot be intercepted or reused, offering strong protection against increasingly sophisticated phishing and AI-driven social engineering attacks.

For CFOs managing risk and compliance portfolios, this shift represents a measurable improvement in controls. Unlike passwords, hardware-backed authentication has a quantifiable impact on cyber insurance eligibility, audit assurance and business continuity metrics.

Regulatory and insurance pressures are intensifying

Australia's regulators are sharpening their focus on cyber accountability. The Australian Securities and Investments Commission (ASIC) has made it clear that boards and executives will be held responsible for cybersecurity failings, and the Office of the Australian Information Commissioner (OAIC) has pursued record fines under the Privacy Act. The recent Privacy Act reforms now impose tougher penalties and mandatory reporting requirements for many Australian businesses.

From a finance perspective, the cost of non-compliance is escalating. Cyber insurance premiums have risen sharply, some by as much as 60 per cent, and underwriters now require demonstrable proof of robust identity and access management controls before renewing policies.

In other words, cybersecurity posture is now influencing financial instruments. A CFO who cannot verify that the organisation's authentication systems meet modern security standards may find both coverage and capital access constrained.

From expenditure to investment

There is a growing recognition that cybersecurity spending should be viewed not as an overhead but as a value-preserving investment. Just as CFOs assess return on investment for operational efficiency or ESG initiatives, the same thinking applies to cyber resilience.

Cyber resilience investments, including strong authentication, zero-trust frameworks and rapid recovery protocols, directly reduce the financial impact of a breach. According to IBM's Cost of a Data Breach Report 2025, organisations that deployed strong MFA experienced breach costs that were on average 45 per cent lower than those without.

Cyber resilience has become a CFO's challenge because it sits at the intersection of capital, compliance and confidence. As cyber threats escalate and regulatory scrutiny deepens, CFOs who approach cybersecurity as an integral part of financial stewardship, not an IT expenditure, will better protect both their balance sheets and their reputations.

For CFOs, this presents a clear ROI narrative: invest in cyber resilience with strong phishing-resistant MFA to protect revenue continuity, maintain valuation stability and reduce long-tail liabilities. The most resilient organisations will be those whose CFOs recognise that protecting digital identity is now fundamental to protecting enterprise value.