- Author: Bronwyn Wilkie
- Posted: November 3, 2025
Cyber Threats are Escalating > It’s Time For CFOs to Step Up
Profile: Kevin O’Sullivan, CFO | CyberCX
To the accounts team, it looked like just another invoice. The amount was correct. The supplier’s name checked out. It was business as usual, save for one small detail. The bank account number had been changed.
By the time this little switcheroo was detected, $1.5 million was gone. No malware. No ransomware. Just a quiet, well-crafted bit of fraud – and a simple validation step that never happened.
“Where were the controls? Where was the callback to validate that change of bank details?” asks Kevin O’Sullivan, CFO at CyberCX, which was later called in to advise the company. “Either the team was too rushed, under too much pressure, or they hadn’t had a recent refresher on implementing controls.”
As CFO of one of the largest cybersecurity firms in the Indo-Pacific, O’Sullivan sits at the intersection of finance, operations, and front-line threat response. It’s from this vantage point that he’s urging his peers to step up and claim their role in defending companies against the crimes he sees taking place day in, day out.
Cybersecurity starts with business context – and CFOs have it in spades
O’Sullivan has built his finance career from deep in the operational trenches. His experience as CFO, COO, and CEO has shaped a firm belief: finance leaders can’t just look at the numbers – they also have to understand what’s influencing them.
“You cannot be effective as a CFO unless you’re in the business all day, every day,” he says. “Because what goes on out there is what actually drives the P&L, the balance sheet, your cash management.”
He puts it in terms of a contact sport: “If you’re not in play, then you’re not really understanding what the business is doing, and you’re missing opportunities to positively influence outcomes.”
The point he’s building to is that this perspective gives CFOs a powerful – perhaps unrivalled – understanding of the operational context of the business.
“We see the forecasts, the historicals, the business-oriented data – and we can help distil that to drive decisions and outcomes,” he says. “So, we’ve got a lot to contribute.”
And in today’s environment, that contribution must include cyber.
“We’ve got to expand our risk lens. We’re already across financial and operational risk – now we need to bring cyber into that conversation.”
Before the breach: Starting a conversation could save your company millions
O’Sullivan urges CFOs to start with a basic question: What’s the most valuable thing in your business – the loss of which would cause the most harm?
“Every organisation is different,” he says. “For some, it might be a retail POS system. For others, customer data or IP.”
Once you’ve established whatever it is, the next step is to consider what the financial and operational impact would be if that asset were compromised.
This is where CFOs really need to find their voice. Because now it’s time to sit down with your Chief Information Officer (CIO) or Chief Information Security Officer (CISO) and say: ‘This revenue stream depends on these systems. What are the risks in those systems?’
“With that understanding in place, CFOs can then allocate resources more effectively to mitigate cyber risks,” O’Sullivan explains.
To guide those conversations, he recommends three simple but powerful questions:
What are our critical systems, and who owns them?
Do we have an effective incident response plan?
How are we training our staff to recognise threats?
That last one is particularly important, since as O’Sullivan points out, “Cybersecurity awareness training is not expensive and it can save millions. So make sure you ask: What training are we running? How often? Is it effective? Show me the dashboard.”
After the breach: A helping hand and a calming presence
If a cyber incident does occur, you won’t be leading the technical response – but you’re still essential.
“It’s panic stations generally, so CFOs need to do two things,” O’Sullivan says. “One is lean in and provide support. Can you handle some of the communication responsibilities? Can you work on some of the reporting, manage your insurer? The CISO, the CIO, the CTO won’t have time for any of that – they’ll be too busy trying to find and eradicate the breach.”
Your second role is to do what you do best: stay grounded and logical. A voice of calm in the chaos.
“Finance people are resilient,” O’Sullivan says. “Because we’re always under pressure. There’s always a deadline. There’s always a problem to solve. That doesn’t make us superheroes – it’s just how we live our lives. But it does mean we can bring calm, logic, and stability when it’s needed most.”
How the threat landscape is shifting
Unfortunately, cyber threats are getting more serious – and more disruptive. O’Sullivan warns that attackers aren’t just stealing data anymore. Increasingly, they’re trying to take businesses offline entirely.
“Ciaran Martin – our UK Chair and the former head of the UK National Cyber Security Centre – talks about it in terms of ‘thieves and thugs’,” he says. “Thieves steal your data and disappear, while thugs break your arm on the way out.”
He points to recent examples such as Marks & Spencer, which reportedly lost up to £300 million after an attack crippled online sales for weeks. And Jaguar Land Rover, where a cyber incident shut down factories and caused ripple effects across supply chains.
Third-party risk is another serious concern.
“Global tensions and shifting supply chains mean companies are adopting new vendors fast,” O’Sullivan says. “But have they validated their security posture? That’s a big question.”
Last but not least are the risks associated with charging ahead on new tech without securing it first.
“A notable trend we are seeing is that the rapid adoption of AI is outpacing the underlying security measures,” O’Sullivan says. “According to a 2025 report by Accenture, only 28% of organisations have any security embedded as part of their AI transformation, which means everybody else is potentially exposing additional vulnerabilities. And we certainly are seeing an increase in breaches related to AI.”
A well-supported team is a cybersecure team
One ongoing threat that O’Sullivan is particularly concerned about is business email compromise. According to a 2025 report by CyberCX, these still account for 28% of all cyber incidences.
And the financial losses can be enormous. Take that $1.5 million invoice payment that went AWOL, for instance. As O’Sullivan points out, this wasn’t a tech failure – it was a people and process failure.
“As a finance person, lots of times that’s within your team, because your accounts payable team is your team, or your accounts receivable is your team,” he says. “So, a risk factor that we probably don’t focus on enough is a jaded, stressed-out employee who’s just not following process.”
In other words, technical controls are essential, but so are well-supported, empowered finance teams.
As such, CFOs must set the tone from the top. That means asking: ‘Am I standing up for my team when they insist on controls that frustrate others?’ And, ‘If someone wants to skip a validation step, are we backing our people to say no?’
All of this goes to say that when it comes to cybercrime, finance leaders can no longer afford to pass the buck.
“CFOs have a unique view of the business,” O’Sullivan says. “We know where the money flows. We see the systems, the processes, and the pressure points. And that’s exactly where threat actors strike.”
His call to action is straightforward: “The reality is that many threat actors are really very good at what they do. And that means we need to be better, too. CFOs have a role to play — so let’s play that role, and protect the company.”
3 things every CFO should do to understand their security posture
1. Lead the conversation.
“You know the business, so lead the discussion with your CIO or CISO. Sit down with them and say: This revenue stream depends on these systems – what are the risks in those systems?”
2. Explore new threat vectors.
“Ask about third-party and geopolitical risks. Supply chains are shifting fast, and every new vendor brings potential exposure – have you validated their security?”
3. Champion staff training.
“Your people are your first – and sometimes last – line of defence. Cybersecurity training isn’t expensive, but it can save millions. Let’s lift the support we give our teams.”
Further resources and essential CFO reading –
Related Posts
