Deploying a Cyber Risk Strategy

Five Key Moves Beyond Regulatory Compliance

Financial institutions are acutely aware that Cyber Risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.

Observing these developments, regulators are prescribing increasingly stringent requirements for Cyber Risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.

In this paper, we explore the underlying challenges with regard to Cyber Risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to Cyber Risk, and regulatory requirements:

  1. Seek to quantify Cyber Risk in terms of capital and earnings at risk
  2. Anchor all Cyber Risk governance through risk appetite
  3. Ensure effectiveness of independent Cyber Risk oversight using specialized skills
  4. Comprehensively map and test controls, especially for third-party interactions
  5. Develop and exercise major incident management playbooks

Deploying a Cyber Risk Strategy: Five Key Moves Beyond Regulatory Compliance