The findings of our research highlight a reality that extends beyond Moldova. Cyber threats do not respect borders, and national boundaries offer little protection against the asymmetric nature of cyberattacks. In today’s interconnected digital economy, vulnerabilities in one jurisdiction can quickly cascade across supply chains, financial systems, and critical infrastructure.
Nearly 60% of organizations worldwide report that geopolitical tensions are influencing their cybersecurity strategies. Moldova’s geographic position — at the edge of the European Union and in proximity to active geopolitical cyber conflict zones — increases its exposure to hybrid threats and digital disruption.
As a small and developing economy, Moldova faces structural constraints in absorbing the financial and operational impact of major cyber incidents. Limited institutional capacity, shortages of specialized expertise, and resource constraints increase vulnerability, particularly as the country accelerates its digital transformation.
At the same time, decision-makers increasingly recognize cyber risks, yet investment and strategic action remain insufficient. This gap between awareness and preparedness is not unique to Moldova, but its impact is amplified in emerging economies.
A Gap Between Cyber Reality and Audit Practice
The research reveals a critical misalignment between the growing sophistication of cyber threats and traditional financial audit frameworks.
Cyber incidents are increasing in frequency and complexity — from DDoS attacks and ransomware to AI-generated phishing and deepfake-enabled fraud. Yet financial audits often remain compliance-driven, relying on checklist approaches rather than risk-based cyber assessments.
This limitation is especially visible outside regulated sectors, where cybersecurity governance is weaker and cyber risks are assessed only superficially.
Cybersecurity is no longer a technical support function. It is a strategic business objective essential to:
• protecting organizational assets,
• ensuring operational continuity,
• safeguarding financial reporting integrity,
• maintaining stakeholder trust.
Despite this, cyber risks are still frequently perceived as operational IT issues rather than strategic risks — particularly among SMEs and public sector institutions lacking regulatory enforcement and resources.
A Growing Global Risk — and Underinvestment
Recent global incidents demonstrate that even large, well-resourced organizations remain vulnerable. Major cyber breaches at leading multinational companies have resulted in hundreds of millions in losses and severe reputational damage.
At a macroeconomic level, cybercrime is projected to cost the global economy over $10 trillion annually, rising significantly in the coming years.
Yet cybersecurity investment across much of Europe remains disproportionately low relative to national GDP. This mismatch between escalating cyber risk and insufficient investment reflects a broader failure to prioritize cybersecurity within both public policy and corporate strategy.
The Audit Profession Must Evolve
The findings indicate that the audit profession must expand its scope and capabilities to remain relevant and effective.
Participants emphasized the need to move beyond compliance questionnaires and IT checklists toward risk-based assurance that includes:
• technical evidence review,
• incident and vulnerability analysis,
• evaluation of business continuity and recovery readiness,
• third-party and cloud service risk assessment,
• penetration testing and security validation.
They also highlighted the importance of stronger collaboration between financial auditors and cybersecurity specialists, along with enhanced professional qualifications.
Cyber risk evolves rapidly. Audit methodologies must evolve accordingly.
Recommendations: Building Cyber Resilience in Moldova
Strengthening Moldova’s cyber resilience requires coordinated action by audit firms, organizations, regulators, and policymakers.
Integrating Cyber Risk into Audit Methodologies
Audit firms should embed cybersecurity considerations into planning and fieldwork, particularly under ISA 315 (Revised). This includes aligning cyber risks with financial statement assertions and performing targeted procedures such as reviewing incident response capabilities and endpoint protection metrics.
Audit teams must increasingly combine financial, IT, and cybersecurity expertise. When high cyber risk is identified, involving certified cybersecurity specialists should become standard practice.
Scenario-based testing — such as phishing simulations and ransomware response exercises — can provide practical insights into organizational readiness.
Strengthening Cyber Governance within Organizations
Organizations, particularly SMEs and public institutions, should reinforce governance structures and internal controls, including access management, segregation of duties, and continuous monitoring.
Executive leadership engagement is critical. Cyber risk cannot remain confined to IT departments. Board-level awareness and training are essential for integrating cybersecurity into strategic decision-making.
Employee awareness and incident response readiness must also be strengthened to address the persistent human factor risk.
Advancing National Cybersecurity Resilience through Regulation
Regulatory institutions have a vital role in promoting systemic resilience. Moldova would benefit from developing a national cybersecurity audit framework aligned with international standards such as ISO 27001, NIS2, and ISA 315.
While the banking sector has advanced under regulatory oversight, structured cyber resilience assessments should extend to other critical sectors, including telecommunications, utilities, and public administration.
Moldova’s participation in the EU Digital Europe Programme provides access to funding that can support regulatory modernization, cybersecurity capacity building, and cross-border resilience initiatives.
Additionally, policymakers should encourage the development of the cyber insurance market to help organizations manage financial exposure to cyber incidents.
Finally, the country should begin quantifying the economic impact of cyber incidents. A national cyber risk impact report would support evidence-based policymaking and investment decisions.
From Vulnerability to Resilience
Integrating cybersecurity into financial audit practices is no longer optional — it is a strategic imperative.
Moldova’s economic fragility, geopolitical exposure, and reliance on compliance-driven audit methods increase systemic vulnerability. Yet these challenges also present an opportunity.
Through professional upskilling, regulatory modernization, and public-private collaboration, Moldova can transition from passive exposure to active cyber resilience.
The future relevance of the audit profession — and the stability of the digital economy — will depend on how effectively this transition is managed.