Skip to Main Content


Cyber Risk Workshop

Digital Sign with Cyber Attack highlighted in red

Wed., Nov. 20, 2019
8:30 a.m. - 5 p.m.

Charlotte Branch, Charlotte, NC

Directions  /  Parking


The Federal Reserve Bank of Richmond, in collaboration with the Board of Governors and the Federal Reserve Bank of New York, organized a cyber-risk workshop on November 20, 2019, at its Charlotte, North Carolina branch. The main goal of the workshop was to provide an open forum for discussion of the “Cyber Risk Definition and Classification for Financial Risk Management”  whitepaper made public in August 2019. The workshop involved over 65 attendees from the banking industry, academia and U.S. regulatory agencies. Workshop resources can be found in the agenda and presentations.

The whitepaper aims to define and classify cyber risk for the purpose of financial risk management. The paper outlines cyber risk related definitions, a detailed classification scheme and proposed data collection schedules.

The main objective of our effort is to facilitate information sharing related to cyber risk and subsequently enhance collective knowledge of cyber risk management. Our effort also includes a data collection aspect, and we plan to finalize the scope and mandate of this data collection in the near future.

Call for comments: We have received a great amount of feedback from the workshop participants. Based on this feedback, we have identified the main themes that would benefit from further discussion. We would like to hear from experts and potential stakeholders on these themes (listed below) and any other topic deemed relevant to the white paper. The deadline for feedback submission is January 31, 2020.

Main themes for further discussion:

  • Capturing indirect costs of a cyber-risk event: Besides capturing the direct monetary cost following the event, there are potential indirect costs (reputational, remediation, etc.). Are institutions already estimating those indirect costs? If not, what additional value would capturing these costs provide to the firms?
  • Costs: We are looking for suggestions related to making the cyber data collection efforts more cost effective. What are some specific suggestions that would help us accomplish this goal? What is the best possible way for your institution to leverage existing data platforms for the purpose of data submission?
  • Controls: What is the best way to standardize cyber-related controls across financial institutions? Can your firm identify the control(s) that failed in a cyber-risk incident?
  • Data on actors: What are the costs and benefits, from a risk management perspective, to collecting data on IT-related dimensions of cyber risk, such as the Actor/Attacker information, etc.?
  • 3rd Party: What additional data are of interest, and can be collected, related to cyber losses originating from 3rd party incidents?
  • Threshold: For cyber events with financial losses, is there a preferred dollar threshold for collecting data?
  • Intention: What is your stance on collecting data related to events that happened unintentionally or due to error?
  • Emerging threats: What additional new dimensions of data would help identify emerging threats related to cyber risk?
  • Aggregate data: How do we make aggregate data collection relevant? What aspects are the most important to capture and share?

Contact Information:

If you’d like to provide feedback on any or all of the above questions, you can contact the team via:

  1. Email: Contact the Rich SRC Cyber team
  2. LinkedIn: Please feel free to message Filippo Curti, Sophia Kazinnik, Michael Lee or Atanas Mihov.
  3. Phone: Please contact the Rich SRC Cyber team to schedule a phone call with the team.

To encourage frank and open exchange, the conference will be conducted under the Chatham House Rule. All attendees are welcome to use the information from the conference, but they should not attribute specific statements to individuals or institutions.

phone Contact Us