As more financial activities operate through the cloud, CFOs will need to develop security measures tailored to the finance department.
In February 2024, a Hong Kong company lost $25.6 million after attackers used deepfake technology to impersonate multiple executives on a video call. The finance worker authorised the transfer believing they were following legitimate instructions from the CFO and board members. It took days before anyone realised what had happened.
That case made headlines. But it was far from isolated.
As a finance leader in 2026, cybersecurity now falls directly into your remit. NIS2 enforcement deadlines have already passed, with member states required to transpose the directive into national law by October 2024. AI-powered attacks are targeting executives by name. And cloud-based finance systems, while offering significant security advantages, need to be evaluated with the right questions. This guide covers what has changed, what it means for your organisation, and what to do about it.
CFO 3.0: How the Role of a CFO Has Changed
The CFO role has evolved dramatically over the past two decades. CFO 1.0 focused purely on accounting and compliance. CFO 2.0 expanded into risk management and strategic planning, becoming true business partners.
CFO 3.0 represents the current reality: finance leaders who combine deep financial expertise with strategic technology oversight. You're expected to understand cloud security implications, evaluate cybersecurity investments, and make technology decisions that balance risk with operational efficiency.
That evolution isn't slowing down. The finance leaders who thrive in 2026 are those who've embraced this broader scope whilst maintaining their core financial discipline.
CFO 1.0
The initial version of the CFO, often referred to as CFO 1.0, had a role focused almost exclusively on accounting and financial reporting. Compliance, audits, and tax strategies were the mainstay of their work life.
While crucial, these tasks were somewhat myopic, rarely straying into the realms of strategic planning or business development. This role was undoubtedly essential but limited in scope, keeping CFOs siloed in their financial departments.
CFO 2.0
As businesses evolved, so did the role of the CFO. The second iteration, known as CFO 2.0, expanded the portfolio to include elements like risk management, strategic planning, and even a smattering of operational oversight.
CFOs began to emerge as partners in business development, occasionally stepping into aspects traditionally handled by COOs or CEOs. This broader perspective enabled them to contribute more holistically to the company’s growth, but still, there were limitations, particularly when it came to navigating the complexities of the digital world.
“Today’s CFO is transforming into a real-time analyst. Tomorrow’s CFO will be a visionary. This is CFO 3.0.”
— Sabby Gill, Managing Director, Sage UK & Ireland
The 2026 Cybersecurity Threat Landscape: What's Changed?
- 1. AI-powered CEO fraud
According to DeepStrike's 2025 analysis, over 80% of phishing campaigns now use AI-generated content. Deepfake fraud attempts increased by 3,000% in 2023, and the trend has only accelerated since.
These attacks target executives specifically. Voice deepfakes need just three seconds of audio to clone a voice convincingly. Your quarterly earnings calls, conference presentations, and podcast interviews all provide free training data for criminals.
The average deepfake fraud loss exceeds $500,000 per incident, with large enterprises seeing average losses of $680,000. That figure covers the immediate financial hit, the compliance investigations that follow, and the reputational damage that compounds over months.
- 2. Cloud supply chain vulnerabilities
Cloud security threats have shifted. According to Google Cloud's H1 2026 Threat Horizons Report, 44.5% of cloud incidents now exploit third-party software vulnerabilities, compared to 27.2% that target weak credentials.
AI accelerates the problem. Automated vulnerability scanning can now discover weaknesses in hours rather than weeks. For finance teams using multiple cloud services, this means the attack surface is wider than most organisations realise.
Updated Compliance Requirements for 2026
NIS2 Directive now in force
The EU's Network and Information Systems (NIS2) Directive required member states to transpose it into national law by 17 October 2024. As Grant Thornton's analysis outlines, this has direct implications for UK businesses that operate in EU markets or work with European suppliers. The directive introduces stricter supply chain security requirements and, critically, executive accountability for cybersecurity failures.
Key NIS2 requirements include:
Board-level cybersecurity oversight
24-hour incident reporting for initial notifications
72-hour detailed incident reports
Regular third-party risk assessments
Mandatory cybersecurity training
Even if you're UK-based, NIS2 compliance may already be necessary if you work with EU entities or process European customer data. The UK is developing parallel requirements through the Cyber Security and Resilience Bill.
Cyber Essentials Plus 2026: Tougher standards
Cyber Essentials Plus received significant updates that took effect on 27 April 2026. The changes make compliance notably more rigorous:
Mandatory MFA everywhere: Multi-factor authentication must be enforced across all supported cloud services, with no exceptions for non-privileged accounts. Compensating controls are no longer accepted.
14-day patching window: Hard SLA for security updates with automatic failure for delays. Risk acceptance processes can no longer substitute for actual patching.
Random re-sampling: Auditors can now sample beyond the initial scope to verify organisation-wide compliance, preventing the "fix the sample, pass the certification" approach.
Cloud services explicitly included: All cloud platforms and identity configurations fall under audit scope, requiring live evidence rather than documentation.
Financial services regulatory updates
The ICO increased enforcement actions by 40% in 2025, with financial services facing particular scrutiny around data protection and third-party processor management. Open Banking security standards continue evolving as PSD3 discussions progress, potentially introducing additional compliance requirements.
The Real Cost of Getting It Wrong
According to Northdoor's 2025 report, UK businesses faced an average breach cost of £3.29 million last year. For financial services specifically, IBM's 2025 Cost of a Data Breach Report puts that figure at $6.08 million globally — second only to healthcare. Those numbers cover the immediate operational response. Regulatory fines, legal fees, and reputational damage come on top.
The UK Government's Cyber Security Longitudinal Survey found that 82% of medium and large UK businesses experienced a cyber incident in the past 12 months, along with 77% of charities. Security incidents are becoming the norm, not the exception.
The hidden costs often outweigh the breach itself. Business disruption, productivity losses, insurance premium increases, and months of additional compliance work that pulls your finance team away from strategic priorities.
How Cloud Technology Strengthens Security
Professional-grade security by default
Cloud providers invest heavily in security infrastructure that most organisations couldn't justify implementing independently. Features like end-to-end encryption, advanced intrusion detection, and automated threat monitoring come as standard rather than expensive add-ons.
For finance teams, this means accessing enterprise-grade security without the capital expenditure or internal expertise required for equivalent on-premises systems. You benefit from dedicated security teams monitoring threats 24/7 whilst focusing your resources on financial operations.
Automated security updates
Cloud platforms handle security updates automatically, eliminating the manual patching processes that create vulnerability windows. This is particularly important given the 14-day patching requirements under Cyber Essentials Plus 2026.
Your cloud provider maintains current security standards without requiring internal IT resources to monitor, test, and deploy updates. That automation reduces both the administrative burden and the risk of human error in critical security processes.
Scalable access controls
Modern cloud platforms offer granular access controls that adapt as your organisation grows. Role-based permissions ensure finance team members access only the data and functions necessary for their roles, whilst comprehensive audit trails track all access and changes.
These controls integrate with existing identity management systems, making it easier to enforce consistent security policies across different platforms and applications.
How Sage Intacct Protects Your Data
For any CFO, choosing the right cloud-based financial solution is a pivotal decision, especially when balancing the complexities of cybersecurity and operational efficiency. Sage Intacct can seem like a compelling option designed to meet the unique needs of businesses across different sectors. This cloud-based financial management software offers robust security features and customisable solutions to foster operational excellence.
In this section, we’ll explore the diverse advantages of Sage Intacct, demonstrating why it has become the go-to choice for many businesses seeking to elevate their financial management capabilities.
Comprehensive security certifications
Sage Intacct maintains multiple security certifications that demonstrate adherence to rigorous security standards:
SOC 1 Type II and SOC 2 Type II: Validates financial reporting controls and broader security measures
ISO 27001: Confirms systematic information security management
PCI-DSS Level 1: Ensures payment card industry compliance
GDPR and HIPAA compliance: Meets data protection requirements for European and healthcare data
These certifications require annual third-party audits, providing ongoing verification that security controls meet established standards.Ongoing operational expenses
Cloud services typically follow a subscription model, requiring ongoing payments that can be monthly, quarterly, or annually. While this shifts capital expenditure to operational expenditure, it's crucial to calculate these recurring costs over the long term.
Factors such as additional storage, added security features, or scaling the service to meet business growth can influence the overall expenditure. CFOS need to anticipate these variables in their financial planning.
Technical security measures
Encryption standards: AES 256-bit encryption protects data at rest, whilst TLS 1.2+ secures data in transit. Database-level encryption adds an additional security layer for sensitive financial information.
Access management: Multi-factor authentication combines with role-based access controls to ensure only authorised users can access financial data. Automated de-provisioning removes access when employees change roles or leave the organisation.
Audit capabilities: Comprehensive audit trails track all financial transactions and system access. These immutable logs support compliance reporting and can integrate with security information and event management (SIEM) systems for advanced threat detection.
Infrastructure and operations
Sage Intacct operates from Tier III and Tier IV certified data centres with 24/7 physical security monitoring, biometric access controls, and redundant power systems. Geographic distribution provides business continuity whilst offering UK and EU data residency options for regulatory compliance.
Regular disaster recovery testing ensures business continuity plans work when needed, whilst environmental monitoring prevents infrastructure failures that could compromise data availability or security.
Questions to Ask Your Cloud Provider
When evaluating cloud providers for financial data, use this checklist to assess their security posture:
Security and compliance
Where are your data centres located, and what security measures are implemented?
What encryption standards do you use for data at rest and in transit?
Which security certifications do you maintain, and can you provide current reports?
How do you ensure data segregation between customers?
Can you provide data residency guarantees for UK/EU operations?
Access and monitoring
Is multi-factor authentication mandatory for all user accounts?
How do you implement and audit role-based access controls?
What audit trails exist for system access and configuration changes?
How do you detect and respond to unauthorised access attempts?
Can you demonstrate compliance with the principle of least privilege?
Business continuity
What are your uptime SLAs, and how do you handle compensation for breaches?
How frequently do you perform backups, and what's the recovery process?
What's your business continuity testing schedule?
How do you communicate security incidents that might affect customer data?
Do you maintain cyber insurance that covers customer impacts?
Vendor risk management
How do you assess and manage third-party security risks?
What critical suppliers do you depend on for service delivery?
What contractual protections exist for service continuity?
How do you handle data protection if your business fails?
Can you provide references from customers in similar regulatory environments?
Your Next Step in the Age of CFO 3.0
The threats are real and the compliance deadlines are fixed. But the good news is that cloud-based financial systems, when chosen carefully, already meet most of these requirements out of the box.
Sage Intacct, for example, holds SOC 1, SOC 2, ISO 27001, and PCI-DSS Level 1 certifications. It enforces MFA, encrypts data at rest and in transit, and maintains comprehensive audit trails. For finance teams weighing up whether to move from legacy systems to the cloud, or evaluating whether their current setup meets 2026 standards, those credentials matter.
If your current financial systems are raising more questions than answers when it comes to security, compliance, or scalability, we can help you work out whether Sage Intacct is the right system for you.
Book your free Sage Intacct discovery call
CFO 3.0 Cybersecurity FAQs
- How can I verify that our current cloud provider meets 2026 security standards?
Request copies of their current SOC 2 Type II reports, security certifications, and compliance documentation. Ask specifically about their response to NIS2 requirements and Cyber Essentials Plus 2026 changes. Legitimate providers will share these documents readily.
- What's the most effective way to protect against AI-powered CEO fraud?
Implement verification procedures for financial authorisations, especially high-value transfers. Establish out-of-band confirmation processes using different communication channels, and train finance staff to recognise social engineering attempts regardless of how convincing they seem.
- Do we need NIS2 compliance if we're a UK-only business?
You may still need compliance if you work with EU suppliers, have European customers, or operate in sectors that fall under the UK's developing Cyber Security and Resilience Bill. The safest approach is to assess your specific circumstances with someone familiar with cross-border regulatory requirements.
- How do I justify the cost of upgraded cybersecurity to the board?
Frame it as risk management rather than technology spending. The average UK breach costs £3.29 million, whilst financial services see £6.08 million losses. Compare these potential costs against the investment required for proper security measures. The ROI calculation typically supports the security investment.
- What happens to our data if our cloud provider suffers a security incident?
This depends on your service agreement and the provider's incident response procedures. Reputable providers should have clear communication protocols, liability frameworks, and recovery procedures. These should be explicitly covered in your contract before you migrate any data.
- Is cloud storage actually more secure than keeping everything on-premises?
For most organisations, yes. Cloud providers invest in security infrastructure and expertise that individual companies couldn't justify economically. However, security depends on proper configuration and access management — the technology is only as secure as how you implement it.