The increasing cyber risk agenda in financial organizations

For many years, bank board directors have placed the highest priority on cybersecurity. However, the 12th EY annual global bank risk management survey conducted by EY and the Institute of International Finance (IIF) shares how complex the cyber risk landscape has grown.

The study identifies areas where CROs believe boards should focus their attention after surveying chief risk officers (CROs) or other senior risk executives from 88 banks in 30 countries around the world. Participating banks were headquartered in Asia-Pacific (11%), Europe (16%), Latin America (18%), the Middle East and Africa (19%), and North America (36%), and 14% were global systemically important banks (G-SIBs).

Respondent CROs identified cybersecurity risk as their top concern for the upcoming year and believe that boards should prioritize it as well. This may be surprising, given the large financial investments that have already been made to protect crucial data assets and core systems. However, CROs view cyber dangers to be pervasive and potentially originate from a variety of external sources. These include criminal organizations, state-sponsored organizations, and even lax internal breaches. Additionally, since hackers constantly look for weaknesses and use increasingly sophisticated approaches, cyber dangers are always evolving.

The global banking system’s extensive connectivity poses significant cyber risks, amplified by technology ecosystems, partnership-driven strategies, geopolitical unrest, and previous global economic factors, elevating the importance of cyber threats on CRO agendas. In the wake of the banking crisis in March 2023, credit risk worries are undoubtedly on the rise and are likely to intensify board scrutiny.

These variables explain why CROs, despite believing their own internal systems to be largely secure, view cyber risk as most likely to cause a major operational interruption. In fact, the recent spate of breaches that have struck various local banks, e-wallets, and payment systems clearly demonstrate how cyber attackers continually find ways to circumvent security systems, often through sophisticated phishing, social engineering, or other stratagems. Access to the appropriate data and constant engagement of CROs, chief information security officers (CISOs), and first steps in a board’s ability to effectively supervise cyber risk management.

In line with this, the following takeaways from the study can help board members in the financial services industry and other sectors stay vigilant and strengthen cybersecurity oversight.

CROs believe boards share their view in prioritizing cyber risk

CROs share that their views are largely in line with their board’s view of risk priorities, with cyber risk on top at 72%, credit risk coming in second at 45%, and environmental risk coming in third at 39% If the macroeconomic environment deteriorates further or if there are more bank defaults, this ranking may alter.

Boards will have to ensure that they understand the relationships between cyber risk and other top-priority risks. They also have to allow ample time to address organizational cyber risk through their three lines of defense: the CRO, CISO, and Internal Audit Director. In order to navigate a complex risk environment that demands a comprehensive understanding of both individual hazards and the relationships among them, boards must frequently challenge the organization’s risk appetite in the context of cyber risk prevention, detection, and remediation.

Cyber risk is exacerbated by geopolitical risk

The connection between geopolitical and cyber risk demonstrates how intricately many risk categories are interconnected, and CROs view these threats differently. As much as 58% of CROs at G-SIBs saw China’s shifting role in the world as a serious risk, compared to only 32% of CROs at non-G-SIBs. These gaps demonstrate the need for every bank to evaluate its cyber risk profile in light of its particular operational and geographical footprint.

Boards will have to determine how often they evaluate their organization’s risk profile to reflect ongoing geopolitical trends. In addition, boards must consider what roles their geographic footprint and use of offshoring and outsourcing partners play in their efforts to track cyber risks.

Business innovation and transformation may create vulnerabilities

CROs are increasing attention toward growth and innovation strategies, such as new business models, ecosystem plays, and the development of digital products. CROs are also interested in programs for digital transformation that heavily rely on AI and machine intelligence. However, these present possible cyber dangers due to connections to other parties. In order to effectively de-risk information technology, boards will need to stay updated on cyber threats and digital transformation trends, especially when developing and implementing ecosystem plans.

Effective board governance in cybersecurity entails supporting CROs in risk management

Successful cyber risk management requires board members and CROs to collaborate. In particular, boards must support CROs as well as the whole business in protecting vital assets and systems from cyber threats. This collaboration starts with asking the proper questions to push senior management and business leaders to drive responsibility for current cybersecurity procedures and outcomes.

Wilson P. Tan is the chairman and country managing partner of SGV & Co. and the president of FINEX. This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co. and FINEX.