As cybersecurity threats continue to increase in the financial services industry, banks and credit unions must work harder to meet regulatory expectations. Regulators are taking a deeper look at financial institution’s policies and procedures to ensure that these institutions can effectively safeguard confidential and non-public information. This includes ensuring financial institutions have a Board approved Cyber Risk Appetite Statement.
Regulators are not only looking to ensure financial institutions have a cyber risk appetite statement in place, but that it is being used to monitor and manage the institution’s cyber risk. In fact, risk appetite is mentioned more than 6 times in the FFIEC’s Cybersecurity Assessment Tool (CAT). The Overview for CEOs and Board of Directors released with the CAT by the FFIEC, states it is the Board or an appropriate Board committee’s responsibility to “engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.”
What is Cyber Risk Appetite? Safe Systems’ Compliance Guru gives us a good working definition of risk appetite: “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level is acceptable. Residual risk is the risk remaining after controls have been applied. Before the Board can define a cyber risk appetite statement they must have clear understanding of the institution’s risk profile. This will allow them to clearly define their risk tolerance. This is then used to inform management’s decision making. For example before an institution begins offering a new service, management should validate that the amount of risk after controls have been applied (residual risk) are within the defined risk appetite. If not, management should determine if additional controls can be applied to bring the risk within acceptable limits or reevaluate the service.
Failure to have a cyber risk appetite statement not only puts a financial institution in risk of violating regulatory requirements but can also lead the institution to improperly manage its cyber risk. Defining your cyber risk appetite allows an institution’s Board of Directors to set the tone for risk management throughout the financial institution.