The growing cybersecurity challenges for private fund CFOs
Private fund chief financial officers (CFOs) are not cybersecurity experts, but they do need to be experts in operational risk management. Since cyberattacks pose a significant financial and reputational threat to organisations, CFOs play an integral role in cybersecurity. They work closely with chief information security officers (CISOs) to assess potential threats, prioritise them based on financial impact, and implement strategies to mitigate risks effectively.
Why should CFOs care about cybersecurity? A firm's cybersecurity strategy directly affects investors, posing both financial and personal risks if their information is compromised. Per Cybersecurity Ventures, cybercrime is expected to cost US$10.5t globally by 2025.
In addition to reputational concerns, CFOs have regulatory reporting obligations that include cybersecurity. Under newly adopted U.S. Securities and Exchange Commissionregulations (the “SEC”), they must report a material cybersecurity incident within four days. In addition to being involved in compliance with the rules set by the SEC, CFOs may also need to adhere to the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), among others. CFOs must therefore collaborate with general counsels, internal auditors, CISOs, and others to strive for compliance. They must also address board of director and limited partner (LP) inquiries about cyber incidents, along with annual disclosures of cyber-risk management, strategy, and governance.
In meeting these compliance requirements and maintaining investor trust, CFOs must address several cybersecurity risks head on to mitigate potential impacts.
The top 5 cybersecurity risks for CFOs
Risk 1 | Phishing attacks
Phishing is a type of cyber-attack where attackers masquerade as legitimate companies or individuals to steal sensitive information such as usernames, passwords, and other sensitive data. They also often trick employees into transferring money through fraudulent wire requests or vendor invoices. These risks typically originate from deceptive emails, phone calls, and even text messages that appear to be coming from trusted sources, making it difficult to detect.
Investment fraud losses rose to US$4.57bn in 2023, a 38% increase from the previous year, according to the U.S. Federal Bureau of Investigation. To mitigate these risks, CFOs must take a proactive approach. Annual employee training will help teams recognise and report phishing attempts. Implementing advanced email security tools such as spam filters and threat detection systems can block malicious messages before they reach inboxes. Multi-factor authentication (MFA) also adds an extra layer of protection, making it harder for attackers to gain access to accounts even if credentials are compromised. By implementing a prevention strategy that includes technology, employee training, and effective internal controls, CFOs can significantly reduce the likelihood of a successful phishing attack.
Risk 2 | Ransomware
Cybercriminals use ransomware to encrypt a company’s data and demand a financial ransom to restore access. Attackers often deliver ransomware through compromised software or fake emails, making it a persistent challenge for CFOs In 2024, ransomware attacks trended upward and are still increasing in early 2025.
To mitigate this risk, CFOs should adopt a multi-layered cybersecurity strategy. Implementing advanced threat detection tools helps identify and isolate threats before they can cause damage. Regularly updating software and patching vulnerabilities reduces the chances of attackers finding security issues. CFOs should also follow a strict data backup strategy to maintain secure offline backups that allow for data restoration without paying a ransom.
Risk 3 | Data breaches
A data breach can have devastating financial and reputational consequences for firms, leading to regulatory fines, legal fees, operational disruptions, and reputational damage. According to IBM’s Cost of a Data Breach Report, the average cost of a breach reached $4.88mm in 2024, a 10% increase compared to 2023, and the highest total ever.
For CFOs, mitigating this risk requires a proactive approach that includes investing in a proficient cybersecurity infrastructure, conducting ethical penetration testing, implementing stringent access controls, conducting regular risk assessments, and ensuring compliance with industry regulations. Additionally, conducting incident response planning annually can help prevent costly breaches.
Risk 4 | Insider threats
Insider threats from current or former employees can result in significant damage given these users' knowledge of and access to internal systems and data. Whether intentional or accidental insider threats can lead to financial losses, data breaches, and reputational harm. According to research from DTEX Systems and the Ponemon Institute, the average cost of an insider threat incident rose from US$6.2mm in 2023 to US$17.4mm in 2025.
CFOs should implement strict access control protocols. Role-based and attribute-based access controls provide employees access to the data necessary for their job functions, reducing the potential for unauthorised exposure. Regular audits of user access permissions help identify and remove unnecessary privileges particularly for departing employees or those transitioning roles. Monitoring user activity with behavioural analytics can detect suspicious actions such as unusual data downloads or login attempts. By combining technological safeguards with internal policies, CFOs can reduce the risk of insider-related security breaches.
Risk 5 | Third-party risks
Third-party vendors pose a significant cybersecurity risk, as they often have access to sensitive financial data and company systems. A breach within a vendor’s network can create an entry point for cybercriminals, leading to data theft, financial fraud, and regulatory violations. According to Prevalent’s Third-Party Risk Management study, 61% of companies experienced a third-party data breach or cybersecurity incident the previous year.
CFOs should implement an exhaustive vendor risk management strategy. Conducting due diligence before onboarding third-party providers will shine light on whether they meet a firm’s cybersecurity standards like data encryption, MFA, and compliance with regulations. Establishing a service level agreement (SLA) that outlines mandatory security assessments, breach notification timelines, and liability clauses can strengthen vendor accountability. Additionally, restricting vendor access to only the data and systems necessary for their role minimises potential exposure.
Strengthening cybersecurity resilience
As cyber threats continue to evolve, CFOs play a critical role in safeguarding their firm from financial and operational risks. Phishing attacks, ransomware, insider threats, and third-party vulnerabilities pose significant challenges that require a proactive, multi-layered defence strategy. Strengthening cybersecurity resilience is not just an IT concern—it is a strategic initiative that protects financial stability, investor confidence and long-term business success.
Thrive in today’s fast-changing environment
Looking to further your knowledge of the asset management landscape? Our latest report-a collaboration between TMF Group, cybersecurity software and services provider, Drawbridge, and global asset manager, Schroders - examines how asset managers and their investors can best thrive in today’s fast-changing environment – learn more about ‘Survival of the Fittest – A Playbook for Success’ here.
