The scale of recent attacks and resulting media attention, supervisory pressures to upgrade cyber risk management, and the pace of technology innovation to keep up with are increasing rapidly. These factors are compelling financial institutions to have a clear understanding of the cyber risks they face, and to determine the level of cyber risk the institution is willing to accept.
An effective, measurable, and actionable cyber risk appetite (the set of statements and metrics that articulate the views of the Board of Directors and senior management about the scope and level of cyber risk the institution is willing to accept) provides institutions with a risk management capability to set and communicate strategic boundaries for cyber risk-taking across the institution.
Boards of Directors are increasingly requesting from senior management a coherent articulation of the institution’s cyber risk appetite linked to the business model and strategy, and integrated into enterprise risk management. More advanced institutions have been on the journey to adopt and use cyber risk appetite as a tool for decision making. Others are now playing catch-up. Developing an effective, measurable, and actionable cyber risk appetite is difficult, especially given the fast-changing nature of this risk and that cyber acts as a gateway to other non-financial and financial risks. The blurred boundaries between cyber and other risk types need to be conscientiously addressed as part of the risk appetite design to avoid or at least clearly understand forms of “double counting”.
In our experience, the journey of developing a cyber risk appetite is as important as the cyber risk appetite itself. Therefore, it is essential to engage senior management and the Board of Directors using a structured design approach that combines creating awareness and getting input. In so doing, it becomes clear why zero appetite is just not realistic.