Cyber risk management: the focus shifts to governance

April 2017

“The adversaries relevant to your firm come and go, but somebody is always trying to hurt you. They range from hacktivists to organized crime to nation-states playing a long game. This is a dynamic, asymmetric risk.” 


Cyber risk has attracted a great deal of attention in recent years, and banks have made substantial investments in cybersecurity. Despite this, cyber risk and data security are still the top operational risk concerns in 2017, according to a recent survey of risk professionals. “The cyber threat is increasing by the day. All you have to do is pick up a paper and you see the impact. It is a moving target that can only get worse,” said one director. Indeed, media headlines are dominated by state actors hacking elections and nefarious groups attacking a wide range of companies, with banks among the most targeted. Customers, investors, and regulators all want assurances that boards understand the risks and are doing the utmost to ensure banks are managing them.  

Over several months, culminating with meetings on February 23, 2017 in New York and March 16, 2017 in London, Bank Governance Leadership Network (BGLN) participants shared perspectives on the practical challenges that boards and risk management teams face in the oversight of cybersecurity. This ViewPoints synthesizes the perspectives and ideas raised in the meetings, as well as in nearly 30 conversations beforehand with directors, executives, supervisors, and banking professionals. A list of individuals who participated in discussions can be found in Appendix 1. A companion ViewPoints entitled Banking in transition: overseeing non-financial risk in the midst of technological and business model transformation captures content relating to other non-financial risks and managing the transformation agenda. Themes, insights, and observations from those discussions are summarized in the following sections:

  • Cyber vulnerability presents unique challenges for risk management and oversight

  • Regulatory authorities are becoming more prescriptive in defining cyber risk expectations