Executive Summary
Cybersecurity risk is no longer solely an IT issue. It has become a financial, operational, regulatory, and reputational risk that increasingly sits within the CFO’s sphere of responsibility. As organizations accelerate the adoption of AI-powered financial controls, many assume automation inherently strengthens resilience and reduces exposure. In reality, AI layered on top of fragmented, inconsistent, or poorly governed data environments can amplify cyber risk rather than mitigate it.
This article explores how modern cyber resilience begins with treating data as a strategic asset rather than a byproduct of operations. It argues that the effectiveness of AI-driven controls, fraud detection, compliance monitoring, and incident response is fundamentally constrained by the quality, accessibility, and governance of the underlying data. When financial and operational data remains siloed across systems, organizations create an “illusion of control” — dashboards and automated outputs that appear sophisticated but may conceal significant vulnerabilities beneath the surface.
Ultimately, the article makes the case that organizations do not gain resilience from AI alone. They gain resilience from trusted data foundations that allow AI, financial controls, and cybersecurity frameworks to function effectively together. The central message is clear: the organizations best positioned to manage cyber risk, regulatory pressure, and stakeholder trust are the ones that unify and govern their data before a crisis occurs, not during it.
I. The Transparency Paradox: AI as a Risk Amplifier
The current rush to deploy AI in the finance office has produced what we call a transparency paradox. AI tools promise to automate oversight and accelerate detection. Their effectiveness, though, is capped by the quality of the data they consume. When data is fragmented across silos, inconsistent in its definitions, or delayed in ingestion, AI does not fix these problems. It scales them.
The failure chain is fairly predictable in our experience. Financial and operational data is scattered across departments. New AI controls are deployed on that inconsistent foundation in the name of modernization. The outputs look precise but rest on incomplete or stale information. CFOs then rely on those outputs to make consequential calls on materiality, fraud, and risk coverage. The regulatory, financial, and reputational fallout that follows is often more severe than the initial incident would have been on its own.
The Association of Certified Fraud Examiners (ACFE), the world’s largest anti-fraud organization, reports in its 2024 Report to the Nations that organizations lose an estimated 5% of annual revenue to fraud. The report, based on cases investigated by Certified Fraud Examiners (CFEs), found that financial statement fraud, while the least common category, produced the highest median loss at approximately $766,000 per case. The ACFE’s findings consistently identify weak or absent internal controls as one of the primary conditions enabling fraud to occur. In our experience working with finance organizations, many of these incidents trace back not to missing technology, but to detection failures rooted in fragmented upstream data: anomalies that a unified system would have flagged in hours went undetected for months because the data feeding the controls was incomplete, inconsistent, or simply not there.
DataVisor’s 2026 Fraud and AML Executive Report adds the sharper point: roughly 75% of senior leaders identify AI-driven fraud as a top concern, while roughly 65% say their organizations lack the infrastructure to deploy AI defenses. That infrastructure gap is a data-foundation gap. The AI purchase did not close it. It obscured it.
AI layered on fragmented data does not reduce risk. It creates the illusion of control while compounding the underlying exposure.
II. The Resilience Triad: A Framework for the Modern CFO
To shift from reactive defense to a more proactive posture in the face of disruptions and cyber incidents, leadership must view organizational health through the lens of what we call the Resilience Triad, which outlines three interdependent outcomes that rise and fall with the quality of the underlying data foundation.
Continuity: Ability to Maintain Core Functions During a Disruption
When a disruption hits, the finance function is immediately called upon to assess impact, authorize emergency expenditures, and maintain reporting continuity. Each of those tasks requires data that is accessible, current, and trustworthy. Organizations with fragmented data environments find that the disruption compounds: systems that do not talk to each other in normal operations will not talk to each other under pressure. The organization that cannot tell you its vendor concentration exposure on a Tuesday morning will not be able to tell you which vendors are at risk on the day the incident is declared.
Rapid Recovery: Speed With Which an Organization Returns to Baseline Operations and Compliance After an Event
IBM’s 2025 Cost of a Data Breach report found that organizations using AI and automation extensively contained breaches roughly 80 days faster and paid about $1.9 million less per incident than those that did not ($3.6M versus $5.5M). That 80-day delta is, structurally in our view, the speed advantage reflects that faster organizations had unified their relevant data before the incident, not during it. This also reframes SEC disclosure timelines as a data-readiness issue. If incident data cannot be reconciled quickly and confidently, organizations may struggle to make timely and well-supported materiality determinations.
Stakeholder Confidence: Earning the Market’s Trust Under Pressure
Markets know breaches happen. What they price in the year that follows is not the breach itself but the quality of the response. Morningstar’s Sustainalytics analyzed 69 high-risk cyberattack incidents and found that companies with stronger data privacy and security programs returned 11.6% one year after a breach, nearly keeping pace with their sector benchmark, while those with weaker programs returned -4.9%, significantly underperforming their peers. A well-prepared, transparent disclosure separates well-governed firms from poorly governed ones in the eyes of the market. It requires data that was curated before the crisis, not reconstructed during it.
The key point to hold on to is this. Resilience outcomes are not determined by the sophistication of the AI. They are determined by the readiness of the data. AI becomes a resilience advantage only once the data foundation is unified. Before that, it functions largely as a risk amplifier.
The CFO whose data is ready before the incident controls the narrative. The CFO whose data is reconstructed during the incident does not.
III. The SEC’s Four-Day Clock: A Data Readiness Mandate
Nowhere is the urgency of data unification more evident than in the SEC’s cybersecurity disclosure rules under Item 1.05 of Form 8-K. The rule requires companies to disclose a material cybersecurity incident within four business days of determining that it is material.
A common misconception is that the clock starts at the moment of discovery. It does not. The clock starts once the organization makes a materiality determination. Crucially, the SEC has been clear that the determination must be made without “unreasonable delay.” In practice, the same fragmented financial and operational data that feeds the AI controls must be reconciled to make that call.
If a CFO cannot pull together a unified view of the incident’s impact because the relevant data is trapped in silos, the organization runs straight into the unreasonable-delay problem. Enforcement risk follows. Durable stock-price damage follows. The SEC clock is one example of a larger pattern we keep seeing in conversations with finance leaders: resilience outcomes rise and fall with the quality and readiness of the underlying financial data.
IV. Diagnosing the Problem: The Wang-Strong Framework
To identify where data quality is limiting AI investment, it helps to return to foundational research. In their 1996 study, Richard Wang and Diane Strong, two renowned researchers in the field of information quality, developed a foundational framework identifying 15 dimensions of data quality organized into four categories. For finance practitioners working with AI-powered controls, four of those dimensions are the most consequential, and each functions as a direct ceiling on what your AI investment can actually deliver.
- Accuracy: The degree to which the data correctly represents the real-world state. In an AI setting, inaccuracy manifests as hallucinations in risk reporting.
- Completeness: The factor fragmentation undermines most, ensuring the data set is comprehensive.
- Timeliness: The dimension the SEC’s four-day clock implicitly policies, ensuring data is current.
- Consistency: Whether the same data uses the same format and carries the same meaning across business units or systems.
The table below maps each leg of the Resilience Triad to the Wang-Strong dimensions most likely to determine whether it holds under pressure and illustrates what the failure pattern looks like in practice when those dimensions are compromised. Each failure pattern in the right column is one most finance leaders will recognize from their own organization.
| Resilience Outcome Critical Data Dimensions Example Failure Pattern | ||
| Continuity | Completeness and Timeliness | The organization that cannot tell you its current vendor concentration exposure or its live anomaly count is running a periodic report dressed up in a dashboard. |
| Recovery | Accuracy and Consistency | Reconciling inconsistent datasets adds weeks to the recovery timeline. |
| Confidence | Accuracy and Timeliness | A late or inaccurate SEC filing triggers durable stock-price damage and enforcement risk. |
V. Strategic Moves: The Path to Data-Driven Resilience
Achieving resilience is a cross-functional mandate. The CFO owns the data and financial infrastructure. The CIO and the CISO own the technical risk and sign off on security controls.
If the argument above has landed, the question is not whether to fix the data foundation. It is where to start. Choose one for the quarter. Sustained progress beats ambitious plans that stall.
Move: Inventory the strategic data assets. Audit the data sources supporting your top resilience-critical workflows: SOX evidence, vendor risk, fraud detection, M&A diligence, KYC, and model risk. Identify where reconciliation still occurs manually. Build a register that lists the named owner of each dataset, including AI model inventories and the training-data lineage behind them. Then ask the question that matters most: what is the one resilience-critical dataset in your firm that nobody currently owns? The answer is your starting point.
Move: Run a Wang-Strong diagnostic on your critical AI controls. Score your top ten analytics workflows against the four dimensions that matter most for finance practitioners: accuracy, completeness, timeliness, and consistency. The lowest-scoring dimension is your AI ceiling. You will not clear it by buying a better model. The budget-versus-actuals variance that three departments argue about every month is almost never a math problem. It is a consistency failure: the same KPI means something different in each business unit, which means the anomaly models built on top of it are comparing apples to oranges and calling the result a finding.
Move: Pilot agentic AI on unified datasets. Identify one workflow where the data is already clean, or can be made clean quickly, and run your AI pilot there. Journal-entry anomaly detection is the highest-return starting point: master-data inconsistencies across subsidiaries are typically what turns a four-day close into a ten-day one, and they are precisely what make continuous SOX monitoring impossible. Fix that slice. Prove the model. Then scale.
Move: Pre-position the disclosure pipeline. Document the materiality decision tree before you need it. Run a tabletop exercise with legal, investor relations, the CISO, and the audit-committee chair that simulates the four-day window. AI can pre-populate impact estimates the moment an incident is declared, but only if the underlying data has already been unified. If your board has ever asked for real-time resilience visibility and finance needed two weeks to respond, that is an accessibility risk: resilience-critical data living in batch processes, PDF reports, and inboxes. Build the infrastructure now.
Move: Implement NIST-aligned governance. Adopt the National Institute of Standards and Technology (NIST) AI Risk Management Framework, with its govern, map, measure, manage loop, and ensure a human-in-the-loop remains responsible for high-stakes financial decisions. The same IBM report found that 97% of organizations that experienced a breach involving their own AI systems lacked proper access controls. If AI is going to run continuous financial controls across the enterprise, the CFO has to run continuous controls on the AI.
Conclusion: The Narrative of Control
The CFO who leads the data agenda before an incident is often the one who shapes the narrative after it. Solving this requires CFO leadership, not just IT execution. Data unification is the foundation for every AI investment your board wants to fund and every disclosure your legal team may eventually need to make.
The most important question may also be the simplest: what resilience-critical dataset in your organization currently has no clear owner? The answer likely defines your roadmap.
Cyber incidents are becoming balance-sheet events and regulators are compressing disclosure timelines. In that environment, fragmented data is no longer just an inefficiency; it is a liability and limits the value AI can actually produce. AI did not eliminate the importance of data foundations. It amplified it.
The dashboard that shows green when the data is rotten is not a control. It is a liability with a user interface.
Sipei and Rahul are second-year doctoral students and researchers at Saint Mary’s College of California, where both are pursuing a Doctor of Business Administration with a focus on digital transformation. They bring complementary expertise to their collaborative work: deep finance leadership and controls experience on one side, and AI governance and enterprise resilience practice on the other. Together, they help organizations close the gap between AI’s promise and the data foundation required to deliver it.
References
ACFE. Report to the Nations (2024).
DataVisor. 2026 Fraud and AML Executive Report (2026).
IBM. Cost of a Data Breach Report (2025).
NIST. AI Risk Management Framework.
Sustainalytics. The Impact of Cyberattacks on Stock Prices (2022).
U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Item 1.05; Reg S-K Item 106).
Wang, R. Y., & Strong, D. M. (1996). Beyond accuracy: What data quality means to data consumers. JMIS, 12(4), 5–33.
