Why cyber resilience is now a CFO priority
The fallout from recent breaches throughout the Asia Pacific region, including major attacks on financial institutions and consumer brands, demonstrates how a single compromise can lead to disclosure obligations, operational interruptions, customer remediation and ongoing scrutiny from regulators and insurers. Cyber resilience is now closely tied to financial resilience, and CFOs are increasingly playing a central role in the incident response.
Cyber risk has become a capital risk
For Hong Kong's leading companies, cyberattacks are becoming a recurring challenge to financial stability. In recent years, the financial repercussions have become more tangible, especially since share prices tend to decline after major breaches. Legal costs and forensic investigations have added unexpected expenses. Regulators in Hong Kong have raised their standards, resulting in lengthy inquiries and mandatory reporting.
The latest Hong Kong Cyber Security Outlook 2025, released by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), highlights a surge in ransomware, credential theft and targeted attacks against sectors such as finance, logistics and retail. It reinforces that malicious cyber activity remains one of the ongoing risks facing businesses in Hong Kong.
Consequently, the CFO's role in cyber governance is broadening. Finance leaders are now tasked with evaluating cybersecurity not just as operational safety but as a fundamental part of protecting capital. The questions boards are asking them are shifting from "How much are we spending on cybersecurity?" to "How secure is our revenue stream if critical systems are disrupted tomorrow by a cyber attack?"
CFOs have traditionally served as guardians of internal controls, financial integrity, and regulatory compliance. As cyberattacks increasingly target financial data, payment processes, and customer identity information, the CFO's role has become vital in managing digital risk. Cyber resilience is now a core part of business continuity, with the CFO working alongside the CIO and CISO to shape that strategy.
Why traditional defences no longer suffice
Many finance executives still assume cybersecurity falls entirely within the CISO. In practice, this isolated approach is becoming increasingly unsustainable. Most successful breaches still start with compromised credentials, which makes identity the first line of defence.
Modern phishing-resistant MFA solutions, including passkeys and hardware security keys, remove the inherent weaknesses of passwords. By utilising encrypted authentication that cannot be intercepted or replayed, they provide enhanced protection against AI-driven phishing and increasingly sophisticated social engineering.
For CFOs responsible for risk, audit, and compliance, this shift signifies a substantial strengthening of internal controls. Unlike passwords, hardware-backed authentication can be measured, audited, and directly linked to reductions in cyber insurance risk and operational interruptions.
Regulatory and insurance pressures are rising
Hong Kong regulators, including the Hong Kong Monetary Authority (HKMA) and the Office of the Privacy Commissioner for Personal Data (PCPD), have heightened their focus on cyber accountability. Financial institutions are now facing stricter guidelines on operational resilience, incident reporting, and the management of customer data. Market operators in other sectors are also being strongly encouraged to implement strong identity and access management controls.
Consequently, cyber insurance claims are on the rise, with AON reporting a 22 per cent increase in cyber insurance claims in the Asia Pacific region for 2024. Some organisations find it challenging to secure insurance coverage because insurers require evidence of implementing modern authentication, segregation of duties and enhanced access management.
This means that cybersecurity posture is now directly impacting organisations, depending on their risk appetite for cyber incidents, which can lead to customer data theft. A CFO who cannot show that the organisation has implemented strong identity controls risks facing stricter insurance conditions, higher premiums, or limited access to coverage.
From expenditure to investment
Across Hong Kong and the wider Asian market, there is increasing recognition that cybersecurity should be viewed as a strategic investment that safeguards enterprise value. Just as CFOs model returns for digital transformation or sustainability initiatives, cyber resilience requires the same level of discipline.
Cyber resilience investments, including strong authentication, zero-trust architecture, and rapid restoration capabilities, directly reduce the cost of a breach. The Asia-Pacific region recorded the highest number of cyberattacks in 2024, with a 13 per cent increase year-on-year and accounting for 34 per cent of global incidents, according to IBM's X-Force 2025 Threat Intelligence Index.
Cyber resilience has become a CFO's responsibility because it sits at the intersection of capital, compliance, and stakeholder confidence. As cyber threats escalate and regulatory expectations grow, CFOs who view cybersecurity as a key component of financial management will be better positioned to safeguard valuation stability and long-term performance.
For CFOs, the return on investment is evident. Prioritising phishing-resistant MFA and enhanced cyber resilience measures safeguards revenue, improves compliance results, and minimises long-term risks. In today's climate, protecting digital identity has become essential to maintaining enterprise value.
