Most CEOs ask the CFO every quarter how much cyber costs. Almost none ask the CFO what the company would do if the cost stopped being optional. The question every CEO should be asking the CFO in 2026 is not what the cyber budget is. It is whether the company has modeled, in dollars and in days, the financial trajectory of a ransomware event that takes the manufacturing line, the customer platform, or the patient care system offline for two weeks. If the CFO cannot answer that question on the back of a single sheet of paper, the company is not financially prepared for the most likely material risk it faces this year, and the security budget conversation is the wrong conversation to be having.
Sophos’s 2025 State of Ransomware report finds that the median total recovery cost from a ransomware event in mid-market organizations is now 2.94 million dollars, irrespective of whether a ransom was paid. IBM’s 2025 Cost of a Data Breach report puts the average cost of a breach involving operational disruption at 5.31 million dollars, and the average time to identify and contain at 277 days. Mandiant’s M-Trends 2025 found that 64 percent of organizations they supported through a major incident reported being financially unprepared for the second-order costs — revenue loss, customer attrition, regulatory penalties, and legal exposure — even when they had cyber insurance. The World Economic Forum’s 2025 Global Cybersecurity Outlook describes the gap between cybersecurity spend and cyber resilience as the defining governance challenge of the decade.
Why This Is the Question That Actually Matters
The CFO does not need to be a security expert. The CFO needs to be the executive who, alongside the CEO, owns the financial truth of what a cyber event would cost the company in the worst plausible scenario, and what the company would do about it. That ownership is rarely established before an event. It is almost always established during one, under conditions that no CFO would have endorsed in calm circumstances. The result is decisions made about ransom payments, operational shutdowns, customer notifications and regulatory disclosures in the absence of any pre-event financial framework, with consequences that compound for years.
The question reframes the entire cyber conversation at the executive table. It moves cyber from a cost center the CFO challenges to a risk category the CFO co-owns with the CEO. It shifts the security organization’s relationship with finance from annual budget defense to ongoing scenario modeling. And it gives the board a far more useful set of metrics than the control framework scores they typically receive. The CFO who can answer this question on a single page is the CFO who has had the right conversations with the CISO, the COO and the general counsel long before any incident.
“The CFOs who survived their cyber events well were not the ones with the biggest insurance policies. They were the ones who had already run the math on the worst week of their career.”
Senior boardroom cyber, iSECTECH engagement notes
How a Boardroom Cyber Conversation Should Sound
A useful boardroom cyber conversation does not start with controls. It starts with scenarios. What is the financial trajectory of a fourteen-day outage of the primary revenue system. What is the financial trajectory of a public disclosure that personal data of three million customers has been published on a leak site. What is the financial trajectory of a regulator finding that the company’s controls were materially below the standard expected of a firm of its size. Each of those scenarios has a number attached, and that number is the right starting point for every other cyber conversation the board will have that year.
Three Boardroom Conversations That Defined This Letter
The conversation we coach our clients to run quarterly is simple in structure. The CISO presents three scenarios in plain English. The CFO presents the financial trajectory of each, expressed as revenue impact, recovery cost, and customer retention impact over twelve months. The general counsel presents the regulatory and legal exposure of each. The CEO opens the discussion with the board on which of those trajectories the company is willing to accept and which it is not. That conversation, run honestly, will tell the board more about the company’s cyber resilience than any number of compliance reports.
Three Habits the Best CEO-CFO Pairs Build
The first habit is monthly financial scenario refresh. The CFO and CISO meet for thirty minutes a month to refresh the numbers behind two or three plausible cyber scenarios. The numbers go stale fast, and the worst time to discover they are stale is in the first hour of an incident. The second habit is quarterly executive tabletop. The full executive team — not just the security and IT leadership — walks through a cyber scenario in a structured format, with the CFO presenting the running financial impact in real time. The third habit is annual board-level scenario review. The board receives a formal presentation, owned jointly by the CEO and CFO, of the financial impact and recovery posture for the company’s top three cyber scenarios, and votes on whether the residual risk is acceptable.
“The single best indicator of cyber maturity I have seen in a portfolio company is whether the CEO and CFO can describe, in plain English and in dollars, what a bad week of cyber would look like.”
Wendy Nather, board advisor and former Texas state CISO, public industry remarks
Where This Conversation Belongs on the Calendar
This conversation does not belong in the audit committee. It does not belong only in the risk committee. It belongs in the operating cadence between the CEO and the CFO, with the CISO present, at least once a quarter. It is not a compliance conversation, an insurance renewal conversation, or a budget conversation. It is a strategic conversation about what kind of organization the company wants to be on the worst week of its operating year, and the financial trajectory that decision implies. Treating it as anything less is the most common governance failure we see.
How This Connects to the Rest of Your Security Program
If you want to see how this conversation operationally maps to the rest of the security program, our work on ransomware negotiation and the three conversations that decide the outcome covers the executive-level decision sequence that this CFO conversation makes possible. Our piece on the cyber talent question every CEO should be asking the CHRO covers the parallel conversation with human resources. And our analysis of third-party risk and vendor breach vectors covers the supply chain dimension of the financial exposure modeling.
What to Read Before Monday Morning
If you read one document this week alongside this letter, read the World Economic Forum’s Global Cybersecurity Outlook 2025 chapter on financial preparedness. It is the clearest articulation we have found of why the gap between cybersecurity spend and cyber resilience has become a governance issue rather than a technical one. The full report is freely available on the WEF website and runs about ninety pages. The financial preparedness chapter is roughly fifteen pages and is the part the CFO should read.
What to Do This Week
If you do one thing this week, schedule a thirty-minute working session between the CEO, the CFO and the CISO with a single agenda item: what does our worst plausible cyber week cost us, in dollars and in days. Do not allow the conversation to drift to controls, frameworks or insurance. Stay on the question. The conversation will either confirm that the company is financially prepared for its most likely material risk, or reveal that it is not. Either outcome is valuable. Avoiding the conversation is not.
Talk to a Senior boardroom cyber Practitioner
If you would like a senior iSECTECH boardroom cyber practitioner to facilitate the first version of this conversation between your CEO, CFO and CISO, we run these sessions confidentially across healthcare, financial services, manufacturing and critical infrastructure. The output is a single page of agreed financial scenarios and the governance cadence to keep them current. Contact us to begin the conversation.
A Final Word on the Insurance Conversation
Cyber insurance is not a substitute for this conversation. Cyber insurance is a financial product that responds to a subset of cyber events, with deductibles, sublimits, exclusions and carrier panel requirements that materially shape what the company can and cannot do during a live incident. The CFOs who have run this conversation well treat their insurance carrier as one input into the financial model, not as the model itself. The CFOs who have run it badly discover their policy’s limitations during the event, which is the worst possible time to read the fine print.
“Across the engagements we reviewed this quarter, only one in six CFOs could produce, on demand, a current single-page financial model of their company’s top three cyber scenarios.”
iSECTECH iSECTECH quarterly boardroom cyber review summary review summary
A Quiet Note to the CEO
If you are a CEO reading this on a Sunday evening, the question above is not one you need to answer tonight. It is one you need to put on your CFO’s calendar for the next week. The answer will not be perfect the first time it is attempted. It will improve every quarter you return to it. The companies whose CFOs can answer it well in two years are the ones whose CEOs decided to ask the question this month.