The Cost of Cyber Attacks Is Rising. How Can Finance Leaders Prepare?

The cyber threat landscape has reached a new and dangerous stage in its evolution, bolstered by new technology.

Generative artificial intelligence (AI) models are making it easier for hackers to write malicious code to target vulnerabilities, according to Bloomberg. Next-generation AI also helps hackers generate sophisticated deepfakes to falsify credentials and deceive customers and vendors to gain access to an unprecedented amount of data.

The latest EY Global Information Security Survey (GISS) shows that 30% of senior cybersecurity leaders report that hackers are using new strategies that could potentially outsmart their defenses. But despite these risks, 35% of board directors polled in a recent EY analysis say they lack an understanding of the AI-related risks their companies face.

A lot of factors contribute to the cost of a cyber incident: how long it takes to identify a breach, where in the network the attack took place, and the type of data targeted. When customer data is compromised, for example, lawsuits can create additional financial risks. Other costs, like the reputational damage a firm may suffer after experiencing a breach, are hard to quantify but are no less substantial. Corporate espionage, which costs US companies between $225 billion and $600 billion annually, according to the Federal Bureau of Investigation, is also on the rise, says Robyn Bew, US-West Region leader for the EY Center for Board Matters.

“Cyber espionage is a kind of a silent-but-deadly attack, where bad guys just come in and quietly steal intellectual property,” she says.

The cyber attack surface can include every vendor in a company’s supply chain, making organizations more vulnerable than ever in an age of digitalization. According to EY research, only 31% of senior cybersecurity leaders are confident of their ability to keep their supply chains secure.

With the SEC expected to finalize new rules for cybersecurity disclosures —including mandating more company transparency in cyber incident reporting, requiring disclosure about director expertise and establishing cybersecurity risk oversight practices — cyber-risk oversight continues to be a top priority on boardroom agendas, and specifically for audit committees, which oversee cybersecurity matters on 70% of Fortune 100 boards, according to EY research.

The first step an audit committee can take to assess management’s performance in mitigating the company’s cyber risk is to ask for a baseline report that includes identification of “crown jewels,” aka, the highest-risk digital assets.

“The audit committee isn’t management; they’re not there day to day. To get an understanding of how effectively the management team is addressing cybersecurity risks, they can request a third-party assessment of the cyber-risk management program from their external audit firm or another independent advisor,” says Bew.

Next, boards need to make sure companies develop a robust plan for how the company will respond in the event of a cyber incident. That plan needs to include roles and responsibilities of senior management, the IT and legal teams, and criteria for when and how information will be escalated to the audit committee or board. The playbook then needs to be regularly stress-tested via cyber attack simulations.

Should an event take place, company leaders should understand how to quickly gather the required information for law enforcement and to comply with the upcoming SEC rules. Leaders should also be able to communicate quickly about the incident and the company’s response to customers, as well as the impact on employees and business processes.

According to Jaime Kipnes, EY Americas Cybersecurity Integration Leader, although 86% of directors polled said their board had not performed a simulation in the last 12 months, it’s advisable that they do so.

“The more your organization has performed incident response simulations, the more effective and resilient it will be when you’re in the heat of battle,” she says.