Cybersecurity is no longer just an IT concern, but a challenge that the whole organisation must tackle together. To address emerging cybersecurity risks, teams need to work across the organisation to develop better risk mitigation and measurement methods, adopting a proactive approach to stay protected.
On the Reshaping Finance podcast episode, ‘The New Frontier of Cybersecurity’,Keven Knight, CEO of Talion; Fabio Colombo, global FS cybersecurity leader at Accenture; and James Dempsey, managing director of the IAPP Cybersecurity Law Center and senior policy advisor at the Stanford Program on Geopolitics, Technology and Governance, brought valuable insights into why cyber risk requires everyone’s attention and how finance leaders can support a new, organisation-wide approach to cyber risk.
Cybersecurity is a team sport, not just an IT issue
‘I look at cybersecurity as a team sport for any organisation. It’s something that doesn’t concern just one entity or one line of operation’, James Dempsey said. Cybersecurity no longer lives solely in the IT silo, and a cyber-attack can have substantial financial consequences for an organisation. For example, UnitedHealthcare, an American health insurance provider, suffered a major cyberattack in 2024 that cost the company about $2.3 billion.
Panellists agreed: effective defence and breach response require collaboration across finance, legal, HR, communications, and IT. When a major incident strikes, the board’s decision — to pay the ransomware or not — relies on unified, real-time input from every function.
‘All of these functions need to be regularly communicating and to understand each other’s ways of thinking and to understand each other’s weighting of risk … [everyone] needs to be involved pre-event in shaping the cybersecurity policy and posture of a company’, Dempsey said.
Third-party risk is expanding the cyberattack surface
As organisations blur boundaries through cloud adoption and partnerships, third-party risk is taking centre stage.
‘Third-party vendors are now seen as one of the biggest threats a company faces. Our security perimeter is blurred, and we don’t have full control over their vulnerabilities, which creates a massive risk for the entire organisation’, noted Colombo, citing research from the World Economic Forum’s Global Cybersecurity Outlook 2026, developed in collaboration with Accenture.
‘CEOs and CISOs are worried about the existing standard perimeter because they don’t have full accountability’, Colombo said.
Annual third-party security assessments are no longer enough. ‘Clients are asking for more real-time monitoring solutions compared to … a more static risk-based assessment or checklist-based assessment’, he explained. As the pace of threats speeds up, continuous, real-time visibility into partner vulnerabilities is essential.
According to Knight, it’s vital to look beyond just cost when it comes to investing in solutions: ‘Value is not just about cost anymore. It’s about the security value and the protection a solution brings.’ An off-the-shelf product might be cheap, but if it doesn’t fit your unique business, you’re still at risk.
AI: A double-edged sword
Artificial intelligence is affecting the threat landscape, and often faster than defences can keep up. AI now amplifies the scale and speed of cyberattacks.
‘When I ask people, as of today who is benefiting more from AI, the attackers or the defenders, a lot of people tell me that it is the attackers who currently have the advantage’, Dempsey said. AI supercharges social engineering, automates attacks, and enables ‘shadow AI’ in which employees secretly use unauthorized AI tools to leak data.
Colombo echoed the urgency: ‘AI … could be a problem by itself. The so-called “shadow AI” is a problem. It’s the AI that is not being managed by a so-called security-by-design approach.’
Agentic AI and quantum computing also loom as systemic risks to organisations. ‘With agentic, you need to have very solid guardrails in place to avoid that an agent can do on their own any monetary transaction without good accountability’, warned Colombo. ‘The agent should be managed as if they were an employee.’
As AI accelerates both productivity and risk, the human element remains a fragile point of failure. As Knight noted, ‘The biggest risk in any organisation is going to be its people, whether it’s maliciously, whether it’s accidental. We all know that’s where most threat actors will target.’ His point underscores a growing reality: identity, access management, and data flow now matter more than physical location or traditional perimeter security.
Knight stressed that the solution isn’t to lock systems down so tightly that productivity is affected. Resilience instead comes from governance, visibility, and smart guardrails. Understand who can access what, ensure the right controls are in place, and have verification steps to counter deepfakes.
Quantum computing: The next existential threat
The panellists cautioned that quantum computing could break today’s encryption algorithms within the decade.
Quantum computers could eventually be powerful enough to break the encryption that protects sensitive data today. Banks, insurers, and other large organisations must upgrade their security sooner rather than later. Hackers could already be stealing encrypted data and planning to unlock it later once quantum computers are strong enough to crack it.
Colombo said that 2030 ‘should be the year when the banks and the insurance companies should be quantum safe.’ Dempsey added, ‘Everything the bad guys stole that was encrypted … what if three years or four years from now that data can be stripped of its encryption?’
The risk is systemic: ‘The banks or the financial institutions that are not ready will be cut off from the game. So, it’s a systemic risk, and the risk is the survivability of the bank’, Colombo said.
Building cyber resilience now must be top of mind. Traditional business continuity plans are no match for modern ransomware. ‘The classic business-continuity disaster recovery approach that you have in place for flooding or earthquakes is not enough. Because if your data became encrypted or cancelled, how can you restart your company?’ Colombo asked.
The answer: organisations need air-gapped ‘golden copies’ of data — the so-called ‘minimum viable company’ — and a plan to restore core operations after catastrophic events.
Metrics that matter and three action items for finance leaders
Boards are demanding clarity, not more technical jargon, when it comes to strengthening cybersecurity measures. The direct impact of security measures, or the lack thereof, must be communicated clearly so that strategic, well-informed decisions can be made.
‘Boards want simple metrics. We need to shift from “we’re 95% covered” to explaining the direct business impact of a specific threat in terms they understand’, Colombo said. Scenario-based, operational, and financial risk metrics help boards unpack exposure and justify investments. As Knight urged, ‘Align any cyber investment to business impact.’
The panel shared three pieces of advice for finance leaders to strengthen defences and resilience:
Inventory everything: Keep an updated picture of every device, account, software tool, and AI system operating in your environment so nothing slips under the radar. ‘Companies need continuous monitoring of their networks and continuous inventory of devices, accounts, and software’, Dempsey said. This includes agentic AI agents, not just people or hardware.
Identity and access management: Tightly control who can access what, how they authenticate, what permissions they hold, and how those permissions are removed when no longer needed. Controlling and managing identity, authentication, and permissioning — and decommissioning those identities — should be high on your list of priorities.
Test your crisis response: Regularly test your incident‑response plan through realistic, cross-functional simulations to build the muscle memory needed to act quickly and cohesively during a real security breach. ‘Before the incident occurs, test it. Because if you are breached, I promise you that Day One is nothing like what’s in your head’, advised Knight. Colombo added, ‘[Do] some crisis simulation involving more than one function … you should exercise this muscular memory to avoid working in silos.’
Cybersecurity is now a defining challenge for finance and for every function and leader. As threats increase and boundaries blur, only an organisation-wide, strategic, and forward-looking approach will build true resilience.
For more insights and to hear the full panel discussion, listen to the ‘The New Frontier of Cybersecurity’ episode on the Reshaping Finance podcast.
Additional resources: