by Amena AlBasher, MSc (Cornell), Risk management and GRC expert.

In 2025, boards and CFOs find themselves in an unprecedented situation where they urgently need to know the reality of cyber risk in clear financial terms. The SEC cyber disclosure regulations are more demanding in terms of transparency, and AI-enabled attacks have increased the frequency and cost (Proudfoot, Cram, Madnick, & Coden, 2023). But regardless of the increasing number of quantification tools and industry frameworks, the same question sounds within governance circles: are we bridging the communication gap on cyber teams to the aisles of financial decision makers or prettying it up with more graphics?

The gap exists. As noted by Proudfoot et al. (2023), the directors in companies with frequent cyber briefs tend to regard cyber oversight as a compliance measure instead of one of the pillars of strategy. Reports are read, charts are delivered; however, the board has been relegated to perceive risk based upon how it has been explained to them, rather than its actual state in the real world. Some of the misconnection lies in the tools used. FAIR has emerged as the de facto standard in expressing potential financial risk associated with cyber threats in terms of likely financial risk. It has unmistakable advantages regarding organization, coherence, and the common language of risk managers and CFOs. However, according to Liu and Babar (2024) in their systematic review, FAIR relies on the use of historical data, which is backward-looking. That limitation is significant in a world where attack surfaces change more rapidly than actuarial tables. It is not just an intellectual weakness. According to Adejumo and Ogburie (2025), the emergence of decentralized finance (DeFi), blockchain-based settlements, and API integrated earnings has brought up attack vectors that do not have any compelling precedence as the financial sector embraces the use of blockchains and decentralized technology. These exposures cannot be cleanly modeled with historical probability. Nonetheless, FAIR output is habitually fronted to the boards as apprehending the whole window of financial threat. The accuracy is questionable, the precision is enticing.

Then, there is the more human issue of misaligned incentives. Quarterly performance is safeguarded since CFOs are rewarded. Technological investment in cybersecurity, particularly in quantification, continues to be viewed as an expense, rather than strategic capital. A study by Liu and Babar (2024) monitors the extent to which breaches in stock markets ex-post are punished, and the fines imposed seldom stem from preemptive investments before the breach. This is echoed by Proudfoot et al. (2023), who state that boards will finance the more advanced risk modeling when there is a regulatory change or a significant event. The effects of such a short-term approach are evident when we consider an example such as Equifax. Its breach in 2017 resulted in market loss across the market cap by more than 4 billion across several days. This risk existed way before the breach; however, the board’s attitude reflected the typical trend: reactive rather than predictive. Whereas Knight and Nurse (2020) look at the failure of communication that occurred afterward, the true failure was farther upstream, the failure to tell a story about systemic cyber risk that is financially meaningful enough to necessitate action in advance.

The other half of the gap is communication. Figures in isolation seldom swing a board; they must be related. Knight and Nurse (2020) devised an approach to corporate communication following events, focusing on transparency, timeliness, and personalized messages. That structure also works pre-incident, although herein resides a delicate risk. When executed properly, with the aid of storytelling, before a cyber risk breach, it can be made concrete but also simplistic. Boards prefer stories because they make risk relatable. Occasionally, those stories are molded by risk teams to obtain budgets or compliance acceptance. However, a tale maximized to persuade does not lose a critical part when the story is maximized towards precision. The risk profile the board is acting upon turns into a selected reality. The communication gap is never bridged; it is handled with a more graceful and refined touch. This delicate translation is also complicated by emerging technology. According to Adejumo and Ogburie (2025), current weaknesses in financial APIs are already being used by AI-driven attacks- this is not a hypothetical situation. In multiple documented instances, incorrectly implemented APIs exposed transaction systems to credential stuffing attacks that did not rely on any legacy controls. There is no standardized method of incorporating such fluid, changing risks into FAIR models.

Beyond the short term, quantum computing is a looming disruptor. If quantum capabilities cannot survive extant cryptographic standards, the assumptions underlying probability-based financial modeling in use today will fade.

Case studies enforce the stakes. The 2015 breach at TalkTalk, which was used as a case in the study by Knight and Nurse (2020), not only led to fines but also caused a loss of trust by the customers and loss of brand equity, and even a political backlash. The technical setbacks were awesome, and the boardroom difference was fatal. The executives were taken by surprise during live interviews, failing to explain whether the stolen information was encrypted. It was not only a communication problem, but also a quantification problem. The financial and technical risks had not been translated to literacy at the board level. When these failures seem old-fashioned, they are not. In 2025, the same vulnerabilities will be dealt with silently through API breaches, AI-enabled phishing, and cloud integration failures. Adejumo and Ogburie (2025) demonstrated that banking APIs are still among the most utilized vectors, with the quantification of this risk having not reached maturity.

Are we bridging the communication gap, then? Improvement exists. The availability of standard language under initiatives such as FAIR, an upped ante by regulators, and investment into meaningful oversight by some boards is now in place. However, loopholes persist: rewards are not as skewed in favor of the long term, stories are potentially too simplistic, and models are not as fast as the disruption in technology. Liu and Babar (2024) suggest a transition to dynamic quantification, where real-time threat intelligence is combined instead of utilizing solely backward data. Proudfoot et al. (2023) insist on making cyber oversight an inbuilt governance task. Adejumo and Ogburie (2025) emphasize that technological acceleration does not wait and gives models time to adapt. Knight and Nurse (2020) remind us that clear, non-deceptive, and context-abundant communication is risk management. A more attractive dashboard cannot fill the communication gap. It will demand dynamic, incentive-driven, brutally honest quantification by CFOs and boards. Until then, the gap will still be there, smooth on the surface but profound in depth.

References

Adejumo, A. P., & Ogburie, C. P. (2025). The role of cybersecurity in safeguarding finance in a digital era. World Journal of Advanced Research and Reviews25(3), 1542-1556. https://eprint.scholarsrepository.com/id/eprint/1343/

Knight, R., & Nurse, J. R. (2020). A framework for effective corporate communication after cybersecurity incidents. Computers & Security99, 102036. https://www.sciencedirect.com/science/article/pii/S0167404820303096

Liu, C., & Babar, M. A. (2024). Corporate cybersecurity risk and data breaches: A systematic review of empirical research. Australian Journal of Management, 03128962241293658. https://journals.sagepub.com/doi/abs/10.1177/03128962241293658 Proudfoot, J. G., Cram, W. A., Madnick, S., & Coden, M. (2023). The Importance of Board Member Actions for Cybersecurity Governance and Risk Management. Risk1, 2. https://cams.mit.edu/wp-content/uploads/MISQE_Board_Member_Actions_Proudfoot_Dec23.pdf