What CFOs should do in the first 24 hours of a cyberattack

The article focuses on what CFOs should do during the first 24 hours of a cyberattack, drawing on a cybersecurity exercise conducted at the Institute of Management Accountants’ 2026 conference in Tampa, Florida. Participants, including finance executives and cybersecurity professionals, worked through a fictional supply-chain incident involving stolen data, encrypted systems, and a ransomware demand. A central takeaway was that organizations that prepare earlier tend to respond more effectively when information is incomplete. The session emphasized that severity assessments often begin with gaps, requiring “best estimates” before investigators confirm facts. Walter Crawford, senior director of advisory services at OakTruss Group, said financial impact is particularly difficult to quantify early because it may involve lost sales and downtime across back offices or production systems. The discussion also stressed engaging legal counsel quickly to manage communications, disclosure obligations, and information flow during an active investigation.