Why hyper-specialisation blinds firms to financial losses hidden behind digital delivery.
When firms treat ransomware and fraud as ‘cyber events’, they reclassify a financial crime into a technical issue and accountability slips through the cracks.
By Rois Ni Thuama, 29th October 2025
AT ‘International Anti-Financial Crime Conference 2025’ in London this month, one panellist observed that deep silos within large organisations act as a constraint on efficiency.
That comment, almost in passing, captures the essence of a broader governance problem – the systemic misclassification of financial crimes as cyber incidents.
The proliferation of specialist teams, information security, fraud, compliance, and risk has created impressive technical capability, but often at the cost of integration. When an attack occurs, it rarely announces itself neatly as “financial” or “digital.” Yet how a business labels it determines who responds, who owns the risk, and who is ultimately accountable.
Ransomware: the digital delivery of financial crime
Strip away the code and encryption keys, and ransomware is Section 21 Theft Act 1968 demanding money with menaces. It’s extortion. The use of malware is a method, not a definition. That distinction matters.
By classifying ransomware purely as a “cyber” problem, many organisations push ownership down to the IT or information-security team, the very people least equipped to handle the legal, financial, and disclosure consequences that follow.
From a financial-crime perspective, ransomware demands involve:
1. Money flow (often via cryptocurrency);
2. Proceeds of crime (the payment itself may constitute an offence);
3. Potential sanctions exposure (if payment is made to a designated entity or jurisdiction).
This isn’t just a technical incident. It’s a compliance and governance event that reaches straight to the boardroom.
Fraud by phishing – same offence, new delivery
Blackmail, fraudulent misrepresentation, and deception offences have existed for centuries. When these arrive via email, text, or a cloned website, the digital wrapper doesn’t transform the underlying crime.
For example, invoice-redirection fraud, when attackers intercept or mimic supplier communications to reroute payments, is often logged as a “cyber incident.” In reality, it’s fraudulent diversion of funds, a financial crime with AML and reporting implications.
Treating it as a cybersecurity problem risks missing obligations under:
– The Proceeds of Crime Act 2002 (reporting of suspicious activity);
– The Money Laundering Regulations 2017 (adequate systems and controls);
– Internal financial-control frameworks under the Companies Act 2006.
The root issue isn’t digital. It’s financial.
Misunderstanding the nature of loss
Even when ransomware or data theft causes operational paralysis, the loss suffered is rarely “digital.” If an organisation loses access to intellectual property, client data, or operational systems, it loses the ability to generate value. That loss is economic.
Three layers are visible:
1. Primary loss — value of the inaccessible asset (e.g. design files, IP, customer data);
2. Secondary loss — cost of restoring systems or rebuilding infrastructure;
3. Tertiary loss — reputational damage, customer attrition, share-price impact.
Each layer is measurable in financial terms. When an insurer assesses coverage, it doesn’t ask how clever the malware was. It asks whether the insured took reasonable care, whether controls were in place, and whether the loss falls within covered perils. If reasonable care cannot be demonstrated, insurance may not bite. That’s a financial consequence of a governance failure, not a digital one.
Problem of hyperspecialisation
The problem with hyperspecialisation is that it drives silofication. When every function optimises for its own niche, collective awareness erodes. The result is friction, duplicated effort, and slow or fragmented responses when cross-functional coordination is most needed. Inside most large organisations, responses remain fragmented.
– Information security focuses on containment and recovery;
– Legal and compliance worry about disclosure;
– Finance and risk appear only once losses crystallise.
By the time the issue is recognised as a financial crime, it has already been treated, reported, and sometimes buried, as a technical event. This is the governance blind spot created by hyperspecialisation: the technical team may fix the symptom, but the control environment that allowed the breach i.e. weak oversight, poor segregation of duties, or supplier mismanagement remains untouched.
Where oversight should sit
Technical solutions rightly belong to information security. But oversight, the question of reasonable care, regulatory reporting, and systemic weakness, must sit with risk and compliance.
These functions already own:
– AML and financial-crime risk assessments;
– Control testing and monitoring;
– Incident reporting;
– Insurance disclosures;
– Board-level risk reporting.
They are trained to interpret financial impact and regulatory consequence, not just technical remediation.
Regulatory convergence- financial, operational, cyber
Modern regulation recognises this need for integration. Under NIS2, DORA, and the UK Cyber Governance Code of Practice, boards are explicitly accountable for oversight of security and resilience. Meanwhile, under FCA Principle 3 and SYSC 3.2, firms must maintain systems and controls adequate to manage all material risks, including operational and financial-crime risk.
These regimes converge on one principle: Boards must ensure that controls are effective, tested, and documented. Treating ransomware as a technical issue misses the fact that it also triggers obligations under financial-crime laws, disclosure rules, and directors’ duties, notably Companies Act 2006 s.174, the duty to exercise reasonable care, skill, and diligence.
Why this matters for directors
When incidents are misclassified, accountability becomes distorted. Boards may receive assurance that “the incident was contained,” yet remain unaware that a potential financial crime went unreported or that internal controls failed.
The consequences are serious:
1. Regulatory exposure: failure to report a suspicious transaction or control breach;
2. Insurance denial: inability to prove reasonable care;
3. Reputational damage: perception of weak governance.
An integrated approach ensures that digital events with financial consequences are logged, escalated, and reviewed through the same lens as other financial crimes.
A call for convergence
The boundary between financial crime and cybercrime has outlived its usefulness. Extortion, deception, and negligence all pre-date the internet. What’s new is the speed and scale with which harm can occur. Reframing these incidents as financial crimes with digital delivery mechanisms re-centres accountability where it belongs, with leadership, oversight, and governance.
For compliance and risk teams, that means:
– Mapping the financial implications of digital incidents;
– Incorporating them into AML and control frameworks;
– Ensuring escalation flows upward, not sideways;
– Training boards to recognise that “cyber risk” is a financial risk in disguise.
When responsibility is shared across functions rather than trapped within silos, firms move from firefighting to foresight.
Recentering Cyber Incidents within Financial Function
The time has come to reposition cyber-related financial crimes within the financial function, not the information-security silo. Information security teams are indispensable technical experts, but they are not trained to assess financial exposure, materiality, or reporting thresholds. When the locus of control sits exclusively with infosec, the problem is framed as a technical failure rather than a financial event and key governance mechanisms remain dormant.
Recentring these incidents under the Chief Financial Officer (CFO) or Chief Risk Officer (CRO) ensures alignment with existing responsibilities for:
• Loss quantification and financial reporting (Companies Act 2006; IFRS/GAAP);
• Insurance, indemnity, and capital adequacy;
• Internal controls and assurance frameworks under SYSC and MAR;
• Suspicious activity reporting under POCA and MLRs;
• Disclosure obligations to shareholders and regulators.
This does not diminish the role of information security, rather, it embeds it within a financially literate control environment. Infosec teams provide the “how.” Finance and risk functions own the “so what” the valuation, disclosure, and defensibility of the response.
Reclassification achieves 3 things:
1. Clarity of accountability — losses are financial and must be treated as such.
2. Regulatory coherence — financial-crime and disclosure regimes take precedence over internal jargon.
3. Strategic resilience — boards can measure, fund, and insure risk with the same rigour as any other balance-sheet item.
A board that treats ransomware as a financial risk event, subject to capital planning, insurance validation, and disclosure, will have a more complete and defensible posture than one that treats it as a “cyber incident.”
In conclusion:
Ransomware, blackmail, and phishing are not exotic technical crimes. They are digital variants of long-recognised financial offences. The loss is not virtual, it’s financial. The required controls are not purely technical; they are governance and accountability mechanisms. And the remedy is not more hyperspecialisation, but smarter integration.
The Author:
Dr Rois Ni Thuama is the founder of RT Consulting and creator of the RAPID-T™ framework for executive-level risk governance. She advises boards, governments, and regulated firms on digital resilience, legal accountability, and the intersection of law, technology, and leadership.
Postscript: Recentring Legal and Governance Leadership
As firms begin to reclassify digital incidents through a financial-crime lens, the next step is to ensure that legal and governance teams play a leading role. Cyber-related financial crimes trigger duties that reach beyond finance and risk: statutory obligations under the Companies Act 2006, disclosure requirements, and the principles of the UK Corporate Governance Code.
Embedding General Counsel and the Company Secretary alongside the CFO and CRO aligns financial, legal, and fiduciary accountability – creating the defensibility regulators now expect.
First posted:
AML Intelligence Website, Dated 29th October 2025, OPINION: How Financial Crime has been allowed be mis-classified as cyber incidents – AML Intelligence