CIMA has refreshed its CGMA Cybersecurity Tool and the direction of travel is clear. Finance teams are expected to shape risk assessment, incident response and remediation rather than watch from the sidelines. The tool is framed as a practical aid for board conversations, software investment choices and insurance evaluation. It is hosted on the AICPA and CIMA site and signposts concrete next steps for non-specialists.
Why the timing matters
Cyber risk is now a line item in performance, not a distant technology issue. IBM’s latest Cost of a Data Breach study puts the global average incident at 4.44 million US dollars and warns that hurried AI adoption without guardrails is creating blind spots that lengthen dwell time and inflate losses. Finance leaders authorise many of those AI budgets and will be held to account for the controls that sit around them.
The UK picture underlines the scale of exposure. The government’s 2025 Cyber Security Breaches Survey reports that 43 percent of businesses experienced a breach or attack in the past year, equating to about 612,000 firms. That is before counting the charities and education bodies also hit.
Supply chains are the soft underbelly
Attackers increasingly exploit suppliers and integrators rather than front doors. A recent survey of procurement leaders found a marked rise in supply chain incidents, while the disruption at Jaguar Land Rover showed how a single event can ripple through production, retail and cash flow weeks later. These are not abstract scenarios for a finance function that manages working capital and vendor exposure.
Fit with UK governance expectations
CIMA’s framing lines up with the 2024 UK Corporate Governance Code and its new guidance on risk management and internal control. Boards must maintain effective systems and explain principal risks with clarity. Finance has the cadence to translate cyber exposure into impacts on liquidity and revenue timing, and to test whether controls match the stated risk appetite. The Financial Reporting Council’s guidance and practitioner summaries provide useful context for how to structure that work.
The practical finance agenda
Start with material data.
Map the sensitive information that would move markets or trigger regulatory attention if stolen or locked. Treat that map as the anchor for budget and prioritisation. If a system touches critical data, demand assurance on identity controls, logging and recovery objectives. Use CIMA’s tool to structure tabletop exercises that include finance, legal and operations so roles and decisions are clear before an incident occurs.
Tighten supplier oversight.
Move beyond point-in-time checks during onboarding. Require evidence of patching cadence, privileged access controls and backup restorability from high-risk vendors, and build those expectations into commercial terms. Where the dependency is strategic, ask for targeted scenario tests. The recent policy debate on UK supply chain resilience offers a useful checklist for reporting obligations that may soon become standard.
Use board-friendly questions.
The National Cyber Security Centre’s Board Toolkit is a reliable starting point for non-technical directors. Finance can adapt the questions into a quarterly pack that links control posture to financial exposure. Track mean time to detect, mean time to recover and the proportion of incidents tied to third parties, alongside a rolling forecast of cyber-related spend.
Insurance is not a substitute for control
Cyber insurance still has a role, but underwriters now scrutinise governance evidence and testing depth. Premiums and exclusions move with control maturity. From a finance perspective, investment in identity security and recovery can lower expected loss and stabilise premium drift. That is an easier story to defend at the audit committee than a proposal to increase limits without improving posture.
The AI oversight gap
Shadow tools proliferate when teams experiment with public models and unvetted connectors. IBM’s analysis highlights that poor governance around AI extends breach costs. Set a simple rule. No sensitive data enters external systems without a recorded risk assessment. Every AI use case needs an owner, a log and the ability to turn it off quickly. That is basic operational discipline that protects margins as the data science agenda accelerates.
Bottom line for finance leaders
CIMA’s update is a timely nudge for finance leaders to take operational control of cyber resilience. The work is a steady rhythm of mapping, testing and refining that fits naturally with budgeting cycles and assurance processes. Used well, the tool helps finance turn cyber from a headline risk into a managed exposure that is priced, insured where sensible and reported with the same discipline as other material risks.