Is cybersecurity the responsibility of the Finance Director?

Cybersecurity is a shared responsibility between IT and finance leadership. However, the financial consequences of a cyber incident—including fraud losses, regulatory penalties, and operational disruption—fall within the Finance Director's remit. Finance leaders must quantify cyber risk, allocate budget, and ensure financial resilience.

How much should SMEs spend on cybersecurity?

Industry benchmarks suggest between 5% and 15% of the IT budget. However, a risk-adjusted approach is more effective. Finance leaders should estimate potential losses from threats such as Business Email Compromise, ransomware, and data breaches, then invest proportionately to reduce those risks.

Are small businesses really targeted by cyber attacks?

Yes. UK government research shows that 43% of businesses experienced a cyber breach in the past year. Smaller organisations are often targeted because attackers assume their controls are weaker than larger enterprises.

What financial controls reduce cyber fraud risk?

Effective financial controls include multi-factor authentication for finance systems, dual authorisation for payments, supplier bank detail verification procedures, segregation of duties, and regular access control reviews.

Why Cybersecurity Is Now a Finance Director's Problem (And What to Do About It)

Q: What is Business Email Compromise (BEC)?

Business Email Compromise is a cybercrime where attackers impersonate executives, suppliers, or trusted contacts to trick finance teams into transferring money or revealing sensitive information. It is one of the most financially damaging cyber threats for businesses.

kimberleylock
Mar 12
13 min read

Written by Kimberley Lock

Chartered Accountant & Fractional Finance Director

Lock & Ledger Ltd

Let's be honest: for most SME owners and Finance Directors, cybersecurity feels like someone else's problem. Something for the IT team, the tech guy, or the big corporates with dedicated security budgets.

It isn't. And the numbers make that very clear.

In 2025, 43% of UK businesses reported a cybersecurity breach or attack in the past 12 months. The average attack cost a medium-sized business £10,830. Cyber-enabled fraud (where attackers trick your finance team into sending money) cost victims an average of £5,900 per incident. And UK ransomware attacks rose by 70% in a single year.

This isn't an IT problem. It's a financial risk, and that means it belongs on your desk.

At Lock & Ledger, we work with ambitious SMEs across the UK as their outsourced Fractional Finance Director. Cybersecurity keeps coming up: not in the IT budget, but in the conversations about cash flow, controls, and what would happen if things went wrong. So we've written this guide for you: practical, plain-English, and focused on what Finance Directors actually need to do.

Let's Get One Thing Straight: Cybersecurity Is a Finance Problem

The old model went like this: IT flags a threat, IT builds a defence, finance signs a cheque. Clean and simple.

That model is broken. Here's why.

A successful cyberattack doesn't just damage your servers. It hits your bank account, your cash flow, your relationships with customers and suppliers, and sometimes your ability to keep the business running at all. The consequences are financial, and that means they fall squarely within the Finance Director's remit.

Think about what a serious breach actually triggers:

Ransomware payments: attackers encrypt your systems and demand money to restore access
Business interruption: revenue stops, SLAs are breached, contracts may be voided
Emergency IT recovery costs: forensics, rebuilding systems and third-party specialists
Regulatory fines: under UK GDPR, a notifiable breach can cost up to £17.5m or 4% of global annual turnover
Insurance premium increases following a claim
Reputational damage: lost customers, lost tenders and lost trust

KPMG analysis published by the UK government puts the cost of even a three-day online banking outage in financial services at between £5.5 million and £231 million. In manufacturing, management services, and information technology, individual cyber incidents routinely cost over £300,000.

For an SME, a single uninsured or under-prepared incident at that scale isn't just painful. It can be fatal.

📌 Real Case: Synnovis (NHS Pathology Partner), June 2024

A ransomware attack resulted in an estimated £32.7 million financial hit in a single financial year. Thousands of NHS procedures were cancelled. The lesson for SMEs? A breach at one business does not stay contained: it cascades across suppliers, customers and partners. If your systems are connected to others, your exposure may be bigger than you think.

Not sure where your business stands on cyber financial risk? That's exactly what our free initial consultation is for. We'll take a look at your controls, your exposure, and what's worth prioritising first. → Book your free consultation at lockandledger.co.uk/contact-us

A 2025 Protiviti survey found that 46% of finance chiefs now list cybersecurity and fraud prevention as a core new responsibility of their role. The reason is simple: who in the business is best placed to quantify risk in financial terms? You are.

2. The Numbers UK Finance Leaders Need to Know

You can't manage a risk you haven't measured. Here's the current state of play for UK businesses in 2025:

Stat	What It Means for Your Business	Source
43%	of UK businesses experienced a breach or attack in the last 12 months (rising to 74% for large firms)	UK Gov Cyber Security Breaches Survey 2025
£27 billion	estimated annual cost of cybercrime to the UK economy	NCSC / ANSecurity, 2025
£10,830	average cost of a cyberattack to a medium-sized UK business in 2024	ANSecurity, 2025
£5,900	average cost to businesses hit by cyber-enabled fraud (rising to £10k excl. zero-cost incidents)	UK Gov Breaches Survey 2025
70%	increase in UK ransomware attacks compared to prior years	Eclarity / NCSC, 2025
93%	of cyber crimes against UK businesses were phishing-based in 2025	UK Gov Breaches Survey 2025
Only 22%	of UK businesses have a formal cybersecurity incident management plan	TwentyFour IT, 2025
46%	of finance chiefs now cite cyber & fraud prevention as a core new responsibility	Protiviti CFO Survey, 2025

The bottom line from all of this: it's no longer a question of whether your business will face a cyber incident. It's a question of whether you're financially and operationally ready when it does.

3. Who Actually Owns Cyber Risk: the FD or the CFO?

We get asked this a lot, particularly in SMEs where the roles overlap or one person covers both. The honest answer: it's a shared responsibility, but the emphasis differs.

For smaller businesses (especially those working with a Fractional FD), the finance lead often becomes the de facto owner of cyber risk governance. That doesn't require deep technical knowledge. It requires treating cyber risk the same way you'd treat any other material financial exposure: with a budget line, a governance structure, and a plan.

Finance Director / Fractional FD	CFO / Group Finance
Day-to-day payment controls & authorisation	Enterprise cyber risk appetite & capital allocation
Finance system access controls & audit trails	Cyber disclosures, investor comms & board reporting
Operational cyber insurance review	Group-level insurance coverage limits & strategy
Finance team phishing training	Cross-functional cyber governance framework
Cash flow stress-testing for cyber scenarios	Cyber risk in long-term modelling & M&A due diligence

If your business doesn't have a dedicated CISO (Chief Information Security Officer), the FD or CFO typically steps into that gap. In practice, that often means bringing in a managed security services provider or a fractional CISO, which is a financial decision the FD is uniquely placed to evaluate.

4. Reactive vs. Proactive: What Good Finance Leadership Looks Like

In our experience working with SMEs, the businesses that come through a cyber incident relatively unscathed all have one thing in common: their Finance Director was involved before the attack happened, not just after.

Here's the difference that makes in practice:

Reactive FD (Old Model)	Proactive FD (2025 Approach)	Impact on Your Business
Treats cyber as IT's problem	Owns cyber as a financial risk, just like FX or credit risk	Faster board decisions, clearer accountability
No cyber line in the annual budget	Dedicates a contingency reserve for cyber incidents	No scrambling for cash when the worst happens
Discovers insurance gaps after a breach	Reviews cyber policy gaps proactively, every year	Avoids uninsured losses that can sink an SME
No scenario planning for cyber events	Stress-tests cash flow against a plausible cyber disruption	Resilient forecasts, confident investors & lenders
Payment approvals with no dual controls	Enforces MFA and segregation of duties on all payments	Dramatically lower exposure to BEC fraud
Silent on cyber culture in the team	Champions phishing training and ties it to KPIs	Human error, the number one attack vector, is reduced

None of this requires a massive budget. It requires intention: treat cyber risk as seriously as you'd treat any other financial risk that could materially affect the business. That's a mindset shift as much as a practical one.

5. Five Things Every Finance Director Should Be Doing Right Now

5.1: Put Cyber Risk in Your Annual Budget (Not the IT Contingency)

This is the single most important change most SME finance functions need to make. Cybersecurity cannot live as a line item in the IT contingency. It needs its own budget, sized relative to your actual risk exposure.

Here's how to think about it in plain financial terms:

Identify your highest-probability threats: BEC fraud, ransomware, phishing leading to data loss
Estimate the financial impact of each (use the KPMG and Government Breaches Survey benchmarks as a starting point.
Size your investment to deliver meaningful risk reduction against those scenarios
Run at least one cyber disruption scenario during annual stress testing, for example a 48-hour lockout from your ERP or finance systems

Example: A £15,000 investment in email security and MFA that reduces your probability of a £80,000 BEC fraud from 15% to 3% delivers an expected loss reduction of £9,600 in year one. That's a clear ROI, and it's the language that makes sense in a board presentation.

5.2: Lock Down Your Financial Controls Against Fraud

Business Email Compromise (BEC) is the most financially damaging cyber threat facing finance teams right now. Fraudsters impersonate your CEO, a supplier, or even HMRC.

They send a convincing email asking your team to update bank details or make an urgent payment. And it works. Constantly.

The UK saw over 208 million scam emails in 2024. Finance teams are the target, because finance teams have the authority to move money.

The controls that stop this are not complicated or expensive:

Multi-factor authentication (MFA) on every finance system. Only 40% of UK businesses currently use 2FA of any kind
Dual authorisation on any payment above a set threshold (typically £2,500–£10,000 depending on your size)
A verified callback procedure before processing any change to supplier bank details: call a known number, not one provided in the email
Quarterly access control reviews: who has login access to your accounting platform, and do they still need it?
Segregation of duties: the person who initiates a payment should never be the same person who authorises it

⚠️ New Threat in 2026: AI-Enabled Fraud

Finance teams are now receiving deepfake audio calls impersonating CEOs requesting urgent payments, and AI-generated invoices from convincingly spoofed suppliers. If your controls rely on recognising a voice or a familiar email format, they may already be outdated. Callback procedures and dual authorisation are your best defence.

Weak payment controls are one of the fastest ways to lose money in an SME. Our Finance Operations & Control service covers exactly this: MFA, dual authorisation, access control audits, and segregation of duties — embedded properly into your finance function. → Find out more: lockandledger.co.uk/what-we-offer/finance-operations-and-control

5.3: Have a Financial Response Plan Ready Before You Need It

When an attack hits, the first hour matters enormously. Businesses that have pre-built financial response plans recover faster, claim on insurance more effectively, and avoid the kind of panicked decisions that compound the damage.

Your financial incident response plan doesn't need to be a 50-page document. It needs to answer these questions, before an incident occurs:

How do we access emergency funds if our primary banking systems are locked?
Who is our cyber insurer, what's the claims number, and what are the mandatory notification windows?
Under UK GDPR, you have 72 hours to notify the ICO if personal data is involved. Who owns that decision?
What financial information do we need to quantify losses for an insurance claim?
What do we say to key creditors, banking partners, and major customers in the first 24 hours?

Only 22% of UK businesses have a formal cybersecurity incident management plan. The Finance Directors who sit in that 22% are giving their businesses a real advantage: not because they're better at IT, but because they've thought it through in advance.

5.4: Treat Cyber Insurance Like the Strategic Tool It Is

Cyber insurance has matured rapidly. But the gap between what policies appear to cover and what they actually pay out is still catching businesses off-guard.

As the Finance Director, these are the questions to put to your insurer or broker, and to get clear written answers on:

Does the policy cover business interruption, or just the direct costs of the breach?
Are ransomware payments covered? Under what conditions?
Does cover extend to third-party supplier breaches? (These now account for 30% of all breaches globally, per Verizon DBIR 2025)
Are the coverage limits actually aligned with our revenue exposure, or are we effectively self-insured above a certain threshold?
What cybersecurity hygiene requirements must we maintain to keep the policy valid, and are we currently meeting them?

Around 50% of UK businesses have no cyber insurance at all. With ransomware median payments now exceeding $115,000 globally, that's a significant financial gamble, particularly for SMEs where a single uninsured incident could threaten the business entirely.

5.5: Make Your Finance Team Genuinely Hard to Phish

Here's the uncomfortable truth: the most expensive cyber controls in the world can be bypassed by one member of your finance team clicking the wrong link or responding to a convincing fake email.

Phishing accounts for 93% of all cyber crimes against UK businesses. And finance teams are prime targets because they sit at the intersection of authority and trust: they can approve payments, access sensitive data, and correspond with senior management.

What actually works:

Quarterly phishing simulation exercises, which are inexpensive, low-disruption and extremely effective at changing behaviour
Including cyber awareness in every new finance hire's onboarding, not as a one-off but as part of the culture
Tying cybersecurity KPIs to leadership performance reviews (where relevant)
Making it genuinely safe to report near-misses (the NCSC Board Toolkit explicitly recommends this)
Briefing the board quarterly on cyber risk in financial impact language, not technical jargon

Only 19% of UK businesses provided any cybersecurity training in the past year. If your team isn't trained, your controls are not complete, regardless of what technology you've invested in.

6. The Regulatory Reality: What's Coming and What It Means for You

The UK regulatory environment around cybersecurity is tightening. As a Finance Director, and as a named officer of the business, you have a direct stake in understanding what's required, because the financial consequences of non-compliance are significant.

Here's what's relevant to most UK SMEs right now:

UK GDPR / Data Protection Act 2018: Mandatory notification to the ICO within 72 hours of a personal data breach. Fines of up to £17.5 million or 4% of global annual turnover for serious failures
Cyber Security & Resilience Bill (2025): Expanding mandatory incident reporting requirements, with stronger regulatory powers, particularly for businesses operating in digital services and critical supply chains
UK Cyber Governance Code of Practice (April 2025): Sets explicit board-level expectations for cyber oversight, linked to the NCSC Board Toolkit. Boards are expected to demonstrate active engagement, not just delegation
Financial Conduct Authority (FCA): Increasingly scrutinising operational resilience, including cyber resilience, for regulated firms and their supply chains

The direction of travel is clear: regulators expect finance leaders to understand cyber risk and demonstrate active governance. 'We left it to IT' is not a defence that will hold.

7. Questions We Get Asked a Lot

How much should we be spending on cybersecurity?

The honest answer is: enough to meaningfully reduce your highest-probability financial exposures. Industry benchmarks suggest between 5 and 15 per cent of the IT budget, but risk-adjusted budgeting is a better approach for SMEs. Calculate your likely exposure from BEC fraud, ransomware, and data breach fines, estimate the probability, and size your investment to deliver real risk reduction. At Lock & Ledger, we help clients frame this as risk-adjusted cashflow, which is the language that makes sense in board conversations

What is Business Email Compromise (BEC) and how does it target finance teams?

BEC is where attackers impersonate a trusted person (your CEO, a supplier, HMRC) and convince your finance team to make a payment or share sensitive information. It's the most financially damaging form of cybercrime for businesses, and finance teams are the primary target. The attacker doesn't need to hack your systems. They just need one convincing email and one moment of uncertainty. Dual authorisation, MFA, and callback procedures are your frontline defence.

We're a small SME. Does this really apply to us?

Absolutely. Smaller businesses are often more attractive targets precisely because attackers assume (often correctly) that their controls are weaker. The UK Breaches Survey 2025 found that while large firms are more frequently targeted, 43% of all businesses experienced a breach. And for an SME, the financial impact of even a mid-range incident (£10,830 on average) is proportionally far more significant than it would be for a large corporate.

How do we measure whether our cybersecurity investment is working?

Frame it in risk-adjusted terms. Track the probability reduction in your key threat scenarios, not just the cost of controls. Useful metrics include: number of phishing simulations passed versus failed, time to detect and respond to incidents, number of unauthorised access attempts blocked, and claims against cyber insurance over time. Present these to the board alongside the financial risk they're managing, not as a technical report.

What should we include in our cyber insurance and does it cover everything?

Standard commercial liability policies typically exclude or severely limit cyber coverage, particularly first-party losses such as business interruption, ransom payments and data recovery. A standalone cyber policy should be reviewed annually against your actual exposure. Key questions: Does it cover BEC fraud? Business interruption? Third-party supplier breaches? Is the policy limit actually aligned with a realistic worst-case scenario for our business? If you're unsure, this is exactly the kind of financial risk assessment Lock & Ledger can help you work through.

How does a Finance Director without a technical background work effectively with IT on cyber risk?

You don't need to be a technical expert. You need a shared framework that translates cyber risk into financial impact. Require that every cybersecurity proposal from IT includes: what financial risk does this reduce, by how much, and at what cost? Meet with your IT lead or managed security provider monthly. Ask to see metrics you can understand: not network logs, but financial exposure trends. The NCSC Board Toolkit (updated 2025) is a genuinely useful starting point for non-technical board members and FDs.

Still have questions about how this works in practice? Our full FAQ covers everything from how a Fractional FD engagement works, to what it costs, to whether it's right for your size of business. → Read the full FAQ: lockandledger.co.uk/fractional-finance-director-faq-uk

8. So, What Should You Do Next?

If you've read this far, you're already ahead of most SME Finance Directors. The majority are still treating cybersecurity as someone else's job, and finding out the hard way that it isn't.

You don't need to become a cybersecurity expert. You need to do what Finance Directors do best: understand the risk, quantify the exposure, put the right controls and governance in place, and make sure the business is prepared.

Here's where to start, in order of impact:

Check whether cyber risk is in your risk register with a financial impact estimate, not just a traffic-light rating
Verify that MFA and dual-authorisation controls are in place for all payment approvals
Review your cyber insurance policy for gaps in business interruption and ransomware coverage
Build a simple financial incident response plan. Even a one-page checklist is better than nothing
Book phishing simulation training for your finance team, quarterly rather than annually
Add a cyber disruption scenario to your next annual stress test
Brief the board on cyber risk next quarter, in financial impact language rather than technical jargon

✅ The Lock & Ledger Bottom Line

The Finance Directors who protect their businesses from cyber risk aren't the ones with the biggest IT budgets. They're the ones who treat it like any other financial risk: understand it, quantify it, plan for it and act before they have to. That's exactly what the Lock & Ledger Method is built around: rapid assessment, a clear action plan and hands-on partnership to get it done.

If you'd like to talk through how your business's financial controls stack up against the cyber risks you're actually facing, we offer a free initial consultation. No jargon, no hard sell. Just an honest conversation about where the risks are and what to do about them

Ready to get your financial controls, risk register and governance in shape? The Lock & Ledger Method starts with a free financial health check, rapid, practical, and no obligation. We work with SMEs from £1m to £20m+ turnover across the UK, on-site or remote. → Book your free consultation today: lockandledger.co.uk/contact-us Or explore our services first: lockandledger.co.uk/what-we-offer

Sources & Data References

UK Government Cyber Security Breaches Survey 2025: Department for Science, Innovation and Technology (DSIT) / Home Office | gov.uk

Economic Modelling of Sector Specific Costings of Cyber Attacks: KPMG for techUK / UK Government, 2025 | techuk.org

UK Cyber Security Sectoral Analysis 2025: Ipsos / Perspective Economics for DSIT | gov.uk

ANSecurity: UK Cybersecurity Statistics 2025 | ansecurity.com

Eclarity: Cybersecurity for UK SMEs: The Complete 2025 Guide | eclarity.co.uk

Verizon Data Breach Investigations Report (DBIR) 2025 | verizon.com

Protiviti / Vertex: Finance Leaders' 2025 Priorities | vertexinc.com

PrivacyEngine: UK Cybersecurity Statistics 2025 | privacyengine.io

NCSC Cyber Governance Code of Practice, April 2025 | ncsc.gov.uk

TwentyFour IT: UK Cybercrime Statistics 2025 | twenty-four.it