What CFOs should do in the first 24 hours of a cyberattack

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Listen to the article

7 min

This audio is auto-generated. Please let us know if you have feedback.

It’s a Monday morning and your company gets hit with a cyberattack.
Employees are locked out of the ERP system. Customer records may have been exposed. Invoices can’t be sent. The board wants answers right away while the technology team that’s logged in starts working to determine the scope of the incident and how much damage has been done.
That scenario formed the basis of a cybersecurity exercise at the Institute of Management Accountants’ 2026 conference in Tampa, Florida, last week, where finance leaders worked through a fictional supply-chain attack involving stolen data, encrypted systems and a ransomware demand.

Led by cybersecurity professionals and attended by finance executives, the session explored the decisions CFOs may face during the first day of a breach and the preparations that can help organizations respond more effectively.
Throughout the session, one theme emerged repeatedly: Organizations that respond most effectively are often the ones that prepared long before the attack occurred.
Prepare to make decisions with incomplete information
One of the first challenges presented during the exercise was assessing the severity of the incident before investigators had a complete understanding of what had happened.
That uncertainty, according to Walter Crawford, senior director of advisory services at cybersecurity consulting firm OakTruss Group, is a defining feature of most cyberattacks.

“As bad as it sounds, these bad actors have operations. They offer discounts [and] they have help desks.”

-Walter Crawford
Senior Director of Advisory Services, OakTruss Group

“The thing about this is you are not going to have all of the information available at the beginning,” Crawford said. “You are going to operate on holes in information and limited information. And you’re going to have to make a best estimate.”
As details emerge, CFOs are often expected to help the organization understand the potential operational and financial impact of the attack. Estimating that impact can be difficult in the early stages of an incident, particularly when critical facts are still unknown.
“The financial impact is going to be the one … that’s probably the hardest to estimate,” Crawford said. “You’re going to think about loss of business, loss of sales. You might be thinking about as well as on the operational side. How long are our back offices going to be down or production systems are going to be down?”

Crawford also emphasized the importance of bringing the right advisers into the process early. Legal counsel was one of the first resources he recommended engaging. One issue that did not initially emerge from the discussion was the role of legal counsel, which Crawford brought up on his own. “One thing I will say is legal is always one of the first calls we recommend in this situation,” he said.
Crawford said legal advisers can help organizations navigate communications, disclosure obligations and the flow of information while the investigation is still underway. “[These CFOs] have to act deliberately and quickly [with legal] because what they don’t want is information starting to trickle out throughout the organization and rumors start to spread,” Crawford said.
Focus on business continuity
As the exercise progressed, the conversation shifted from the attack itself to a more practical question: How does the business continue operating while the investigation unfolds?

Walter Crawford (left) with OakTruss Director of Finance Lane Duncan at IMA26.
Permission granted by CFO Alliance

For Crawford, that is where many CFOs need to focus their attention. The technical details of a cyberattack matter, but finance leaders also need to understand what happens when critical business processes suddenly become unavailable.
The discussion also challenged assumptions many organizations make about their ability to recover from an attack. Backups are often viewed as the solution, but Crawford said many organizations have never tested whether those systems can actually be restored under real-world conditions.
“Most companies have never done an exercise to test if they can actually successfully recover their backups,” Crawford said.
Crawford said many executives underestimate how long a full recovery can take, particularly when large amounts of data are involved. “We’re talking about a hundred plus terabytes of data. You can’t just recover that overnight; that’s going to be a multiple weeks, sometimes months long process,” he said.
The issue becomes more complicated when ransomware is involved. Crawford described one of many tactics called double extortion, in which attackers steal sensitive information before encrypting systems and demand payment not only for a decryption key but also for a promise not to release the stolen data.
“Even if you have the backups, they’re under pressure to make the payment or else have all of the [personally identifiable information] and all of the privileged communications, [and] all of the financial data that they have published out on dark web or on public internet,” he said.
The challenge often extends beyond restoring systems, he explained, because companies may also be assessing what information attackers obtained and evaluating the potential consequences if that information becomes public.
Crawford also said organizations can improve their position before an attack ever occurs by establishing relationships with specialists who understand ransomware negotiations. “Having a ransom negotiator that you contracted with before the incident is a best practice,” he said.
He also explained how many ransomware groups have developed formal processes around negotiations and victim communications, reflecting how organized some of these operations have become. “As bad as it sounds, these bad actors have operations,” he said. “They offer discounts [and] they have help desks.”

Preparation starts before the attack
Throughout the exercise, Crawford repeatedly returned to the importance of preparation. Organizations that establish response plans, understand their insurance coverage, maintain relationships with outside advisers and test their recovery capabilities often have more options when a breach occurs.
He also argued that many companies underestimate the resources required to investigate a cyber incident.
“I think the biggest capability gap most companies have is on the actual cyber incident response effort,” Crawford said. “Most companies are going to have a cybersecurity team, and on that team there are one or two people that do the actual incident response. That’s not enough when you’re actually experiencing a breach.”
Crawford said organizations often assume their internal teams can manage a breach until they experience the volume of work required to investigate, contain and recover from an attack. He encouraged finance leaders to think through how critical functions would continue operating if systems became unavailable and whether key processes could continue while systems were being restored.
“How would you make payroll? How would your team send out invoices to all of your other financial partners?” Crawford said.
He added that aligned organizations that invest in cybersecurity and preparedness generally place themselves in a stronger position when incidents occur.
“We have found a correlation between companies that invest the most in cyber and the most to prepare for these incidents typically fare better and sometimes don’t have them happen at all because they’re able to detect it faster,” Crawford said.