Concerns about cybersecurity are growing every day. Treasury andrisk professionals need to watch for, and guard against, paymentsfraud, ransomware, and data breaches, while also ensuring securityis adequate within third-party vendors of the applications andcloud services their company relies on.

Meanwhile, the pressure is on from regulators.The latest SEC guidance on the topic encourages public companiesto disclose cybersecurity risks and to describe in financial termsany exposures that are material from a businessperspective. To effectively meet this guidance, treasuryand finance managers should answer some basicquestions about their cybersecurity risk posture:

• What risks do we face?
• What is the financial value of these exposures?
• Which risks pose the largest threat?
• How much should we spend, and where, for best results tomitigate these risks?

Gathering this information is crucial to effective cyber riskmanagement—but finance managers who embark on this journey willsoon discover the Great Cybersecurity Exception. According toconventional wisdom in IT security circles, cyber risks cannot beassigned the same type of dollars-and-cents valuation as otherrisks because cyber risks are too technical and too dynamic, andhistorical data is too hard to find. Instead, cybersecurityprofessionals are often satisfied with designating cyber riskseither red, yellow, or green on a heat map, based on their bestguesses. Or they might show the progress they've made in reducingcyber risks by checking off tasks on a best-practices checklistlike the NIST Cybersecurity Framework.