The size, scale, and impact of cybersecurity issues in the financial services industry can seem overwhelming to bank security and technology teams. Cyberattacks are persistent, regulations are changing, and new threats are emerging constantly as customers embrace new ways of interacting with their financial services providers.
In such an environment, those charged with addressing cybersecurity issues often find it difficult to maintain focus and long-term direction. Organizing their approach into six major steps can help banks structure their efforts and accelerate their cybersecurity capabilities.
Step 1: Establish the cybersecurity risk appetite
Establishing an organization’s cybersecurity risk appetite – that is, preparing a general statement of how much risk the organization is willing to take as part of its normal business operations – can frame an organization’s risk management process, optimize performance, and help meet stakeholder expectations. The cybersecurity risk appetite should reflect an appropriate balance between caution and opportunity. It should not, therefore, be zero – no risk means no opportunity for organizational growth or success.
The development of the cybersecurity risk appetite should involve stakeholders including the board of directors and senior executives, as well as the senior leaders of the security and risk management teams. Such broad involvement is necessary because, ultimately, the purpose of the risk appetite is to frame the overall cybersecurity risk management process in a way that helps optimize business performance and meet those stakeholders’ expectations.
The cybersecurity risk appetite is not purely a technical statement and generally does not address specific tools, controls, or metrics. Instead, it should express the organization’s risk tolerance in terms that are clear, forward-looking, and linked directly to the bank’s business model, culture, and strategic goals.
Exhibit 1 offers a generic cybersecurity risk appetite statement. The exhibit is an example only and should not be adopted verbatim.