Skip to Main Content

Our News

Cyber Risk Conference Unites Academia, Government and Industry

Karmen Yu
Karmen Yu of the Federal Reserve System and panelists discuss cyber threat analysis and scenario development.

The Richmond Fed, in partnership with the Federal Reserve Board and the Massachusetts Institute of Technology, presented a conference to hear from participants in academia, government and industry about the importance of measuring and tracking cyber risk across the financial system.

The Measuring Cyber Risk in the Financial Services Sector Conference was held on MIT’s campus in Cambridge, Massachusetts, on September 7 and 8.

Risk management is a shared interest among the organizations. MIT’s Internet Policy Research Initiative, the event’s host, collaborates with policymakers and technologists to provide guidance for policies regarding cybersecurity and internet privacy.

In addition to housing the Federal Reserve System’s National IT organization, the Richmond Fed focuses  on cyber risk at banks through its Supervision, Regulation and Credit department. SRC’s Quantitative Supervision and Research unit provides analytics and research related to cyber risk. SRC’s annual Community and Regional Banking Forum, scheduled for next month, is designed to educate Fifth District bank executives about evolving cyber risks and establishing effective risk management programs.

A Threat to the Financial System

At its core, cyber risk involves potential business disruption or damage to information systems that could lead to monetary loss or reputational damage.

In an opening fireside chat, Richmond Fed President Tom Barkin noted that, as a regulatory body, the Federal Reserve spends significant time examining risks posed to banks, but that bigger potential risks exist when one considers the financial system as a whole. Successful cyberattacks and data breaches could have significant effects that would undermine the public’s confidence in the financial system.

As cyber risk management evolves, so does the need for better data, metrics, collaboration and transparency. Other risk areas, including operational risk, credit risk and market risk, have had time to mature, and as a result, have more advanced metrics. In contrast, Barkin and other panelists over the two days agreed that, relatively speaking, they are in the early days of developing an understanding about the scope and nature of threats.

A Human Problem

While it’s easy to solely focus on the outcomes of cyberattacks, Barkin delivered an important reminder about cyber risk.

“It’s also a human problem,” he said.

Potential human vulnerabilities extend to phishing and ransomware threats and inadequate controls for user access – which could include employees with too much access or third- and fourth-party vendors mishandling information.

“People can be vulnerable to attacks,” said Kemba Eneas Walden, who represented the White House’s Office of the National Cyber Director. Walden said that “active collaboration beyond information-sharing” is also key to resilience and improving data.

In the spirit of collaboration, Andrew Lo, the Charles E. and Susan T. Harris Professor at the MIT Sloan School of Management, noted that bridging the cultural gap between economists, computer scientists and practitioners is needed as the field evolves.

A panel moderated by Tammy Hornsby-Fink, the Federal Reserve’s Chief Information Security Officer, widened the lens on human elements. Panelists discussed the importance of attracting talent and building culture within the risk management industry.

Richmond Fed Quantitative Supervision Research Economists meet with MIT

Members of the Richmond Fed’s Quantitative Supervision and Research unit pose during the event.

Barriers to Improving Metrics, Data and Transparency

Throughout the conference, speakers discussed the need for more consistency in the industry as threat-actors get more creative and sophisticated. Inconsistencies in cyber risk criteria, processes and approach are a barrier to developing metrics, best practices and a standardized model for cyber risk management.

Policies and laws around sharing information can prove to be an obstacle to greater data quality and transparency. “Transparency and privacy can both be achieved,” said Lo, hopeful that there is a way to strike a balance that ensures legislators, regulators and others can do their jobs.

“One of the challenges of this profession is that it is so complex and so nuanced,” said Karmen Yu, Cyber Threat Intelligence Officer for the Federal Reserve System. “Risk isn’t just a lack of controls. It’s not just a threat actor. It’s more of a narrative and a story [and we need to] evolve to see the pieces of data to support the narrative.”

Jeff Gerlach, Vice President of the Bank’s QSR unit, stated that collecting structured data on “near misses” would help organizations better prepare for cyber incidents. “We have heard from many cyber specialists in industry and academia that having data on these potentially costly but ultimately unsuccessful cyberattacks would be one of the most effective ways to learn how to prevent future attacks,” he said.

As cyber risk professionals work to overcome these barriers and define foundational practices, they will benefit from a collaborative approach that engages the expertise of those throughout academia, government and industry.

Subscribe to News

Receive an email notification when News is posted online:

Subscribe to News

By submitting this form you agree to the Bank's Terms & Conditions and Privacy Notice.

Phone Icon Contact Us

Jim Strader (804) 697-8956 (804) 332-0207 (mobile)