Loading

AI & Cyber Risk: The Double-Edged Sword in the CFO’s Toolkit

Artificial intelligence isn’t just knocking on the CFO’s door — it’s forcing its way into every corner of financial decision-making.

Tech giants are spending billions to embed AI into every operational crevice. Microsoft has poured over $13 billion into OpenAI. Alphabet allocates roughly $30 billion a year to AI and cloud R&D. Amazon, Meta, and NVIDIA are racing to train larger models and lock in infrastructure dominance.

Locally, Telstra, CBA, and BHP are rolling out AI to streamline operations and sharpen capital allocation. The pressure is now squarely on CFOs — not just to account for the upside, but to govern the risk.

Because while AI promises speed, insight, and cost control, it also expands the attack surface. Cyber threats are no longer static — they’re learning, adapting, and targeting financial systems in real time.

Boards want both innovation and resilience. Investors expect transformation, but without compromise. So how does a CFO navigate progress when the very tools driving transformation also introduce new risks.

The Hidden Trap of AI Efficiency

AI can accelerate forecasting and strip out manual processes. But it’s only as good as the data it ingests — and the judgment it replaces.

Take an AI-driven inventory tool. A business clears obsolete stock at fire-sale prices. The system sees “fast-moving items” and reorders a warehouse full of the very items management tried to offload. Automation, without oversight, becomes costly confusion.

Worse, AI’s opacity — from biased inputs to black-box logic — raises questions of accountability. When algorithms go rogue, who’s on the hook? Increasingly, it’s the CFO.

Good AI Starts with Governance

In most enterprises, AI adoption begins informally: curious employees explore tools, build proof-of-concepts, and start automating edge processes. But without clear strategy and governance, this bottom-up momentum becomes a patchwork of risk.

That’s where the CFO must step in.

The CFO isn’t just the capital allocator — they’re the policy-setter and enabler. Their job is to codify what’s allowed, what’s not, and where the red lines are. If your AI strategy doesn’t start with governance, it will end in confusion.

People need certainty:

  • What tools are approved?
  • How should models be validated?
  • What level of human oversight is required?
  • Where does the liability land if something goes wrong?

CFOs must bring AI rollout under strategic control — not to slow it down, but to scale it safely.

Four Types of People — and One Leadership Task

Inside every organisation today, there are four types of people:

  1. The early adopters — already using AI, often without thinking through the risk.
  2. The curious-but-cautious — want to use it, but don’t know what’s safe or permitted.
  3. The avoiders — steering clear of AI altogether, some at risk of redundancy.
  4. The mindful builders — aware of risks, but capable of solving for them.

The CFO’s job is to enable groups 1, 2, and 4 — safely — and bring group 3 on the journey. If you don’t, you’ll get friction, inconsistent adoption, and exposure. Worse, early adopters will push boundaries in ways that outstrip controls.

This isn’t just a finance issue. It’s an organisational imperative. And it needs to be solved at the top of the funnel — with clarity and accountability — not cleaned up afterwards.

When Cyber Risk Becomes a CFO Crisis

Every AI deployment increases complexity. And complexity breeds risk.

In Australia, cyber breaches are now board-level events. They leave a CFO-sized imprint — on reputation, on capital, and on compliance.

  • Latitude Financial’s breach in 2023 compromised over 14 million records. The fallout was financial and reputational — and CFOs were left managing both.
  • Medibank’s ransomware attack prompted not just customer fury, but an ASIC investigation into cyber governance.
  • Optus, Crown Resorts, and HWL Ebsworth offer recent case studies in how quickly a cyber event becomes a capital event: disclosure obligations, insurance complications, regulatory scrutiny, and blowback on internal controls.

Cybersecurity is no longer an operational risk. It’s a continuity and capital protection issue. And too many CFOs are still underinvesting — not realising that cybersecurity is now EBITDA.

Practical Guardrails

Every AI advantage must come with a mitigation plan. Below are the foundations of safe implementation — principles the smartest CFOs are embedding into their finance transformation strategies:

  • AI Governance Frameworks

Set clear internal rules. Define what tools are allowed, how outputs are verified, and who signs off on material decisions.

  • Human-in-the-Loop Controls

Automate with intent — but insist on human checks for threshold-based actions (e.g. inventory, pricing, or funding decisions).

  • AI Incident Response Protocols

Have a playbook in place. If a model misguides investor reporting or under-reports tax liabilities, you need a rapid fix path — and clear responsibility.

  • Third-Party Risk Reviews

Every AI vendor is a potential exposure. Demand transparency on data handling, model training, and update frequency.

  • Model Drift Monitoring

AI models can deteriorate over time. Set automatic retraining or review triggers if outputs diverge from expected outcomes.

  • Upskill the Finance Team

Teach your people not just how to use AI — but when not to trust it. Judgment is still the ultimate internal control.

The New CFO Mandate

Being bold on AI doesn’t mean being reckless. And being secure doesn’t mean being slow.

The modern CFO is both a performance accelerator and a governance anchor. The boardroom is looking for clarity, not magic. AI isn’t just a finance tool — it’s a systemic risk. And unless the CFO owns the rules of the game, the risks will outrun the rewards.

About the Author: Jon Brett

Jon Brett is a Non-Executive Director of Corporate Travel (CTM) and Chair of the Audit and Risk Committee. He also serves as a Non-Executive Director of Raiz Invest (RZI).

Jon is also the author of the very successful  podcast series The Taking of Vocus, chronicling the extraordinary rise of Vocus, what went wrong with the M2 merger, and the eventual privatization of Vocus. The podcast is accessible via his LinkedIn profile > LinkedIn Profile

Jon’s book The Taking of Vocus, is available on Kindle.

Related Posts

What do Boards look for when hiring a new CFO? 

August 22, 2023

How can CFOs truly add value to a Board?

September 14, 2023

Things a New CFO Struggles with when Interacting with a Board

October 9, 2023

How Does a CFO Deliver Bad News to a Board?

November 12, 2023

The Biggest CFO / Boardroom Priorities for 2024

January 15, 2024

The Interview Process > Lessons learnt

February 15, 2024