Skip to Main Content
Federal Reserve Bank of Richmond
Menu

Cyber Risk Conference: Putting Metrics Into Action

Our News
Dec. 15, 2025
Lisa White speaking at the cyber risk conference in Boston
FEDERAL RESERVE BANK OF BOSTON
Lisa White, Executive Vice President of Supervision, Regulation and Credit for the Federal Reserve Bank of Richmond, delivered the closing address to conference participants. Her comments highlighted the complementary roles of risk quantification and professional judgement, the increasing challenge of third-party risk management, and the technological developments shaping the future of the cyber-risk landscape.

As cyber threats and technologies evolve, organizations must update their metrics, risk management approaches and incident response strategies. This was a key theme of the 2025 Cyber Risk in the Financial Sector Conference co-hosted by the Federal Reserve Bank of Richmond, the Federal Reserve Board of Governors, and the Massachusetts Institute of Technology’s Internet Policy Research Initiative in October. This year’s focus, “Putting Cyber Metrics into Action,” brought together experts from industry, government and academia to discuss the growing threat of cyber risk in the financial sector.

Conference Highlights
Panelists at the conference emphasized the need for cyber risk management practices to continuously adapt and evolve in the face of ever-growing risks. There was a consensus that basic cyber hygiene procedures remain critical, and failure to implement them accounts for a significant proportion of cyber risk exposure. The need to move from siloed, business-line specific risk management and to facilitate better communication between cybersecurity practitioners and boards of directors was also highlighted.

Another key discussion point was the need to better harmonize industry-wide risk management standards that align with regulatory requirements across jurisdictions. Speakers noted the challenges of navigating different global standards and frameworks across the U.S. and European Union. Inconsistency among incident reporting requirements was identified as a hindrance to effective information sharing and coordination.

The conference also delved into the impact of technological advancements on the cyber risk landscape, focusing on artificial intelligence (AI) and quantum computing. Participants discussed how firms and malicious actors leverage AI to automate offensive and defensive cyber activities and agreed that AI could increase the speed of vulnerability exploitation and exacerbate risks from existing attack vectors, particularly social engineering. On the flip side, there was optimism that cybersecurity professionals, also equipped with AI tools, could identify, patch and mitigate incidents more efficiently. Conference participants emphasized the importance of a “human-in-the-loop” approach to responsible AI deployment.

Panelists from the Cyber Conference in Boston

Federal Reserve Bank of Boston

Anna Kovner, Executive Vice President and Director of Research at the Federal Reserve Bank of Richmond; Evan Wheeler, Senior Director of Technology Risk Management at Capital One; Scott Fields, Global Head of Technology & Cybersecurity at Goldman Sachs; Jack Jones, Chairman Emeritus at the Fair Institute; and Luke Carrivick, Executive Director at Operational Riskdata eXchange (ORX), participated in a discussion on industry efforts to build actionable cyber risk models.

Quantum computing—an advanced form of computing that uses quantum mechanics to perform calculations much faster than classical computers—was another critical topic. As quantum computing advances, it may be able to break current encryption methods. Industry experts at the conference agreed that this will require firms to rethink data processing, storage and digital infrastructure protection, necessitating years of preparation.

The conference also highlighted the debate between skeptics of cyber risk quantification efforts and those who view these analytics as indispensable. Discussions centered on data quality and the lessons learned from past incidents. Despite mixed opinions on the consistency of existing metrics, there was a general consensus that enhanced data collection and sharing could help remediate current modeling deficiencies. Combining quantitative analysis with structured scenario design and expert judgment was identified as a powerful strategy for improving cybersecurity hygiene.

An international panel discussed the potential impact of severe cyber incidents on financial system stability to global financial stability. The panel agreed that without redundancies in critical service providers, cyber events can quickly turn into liquidity shocks. This discussion brought the challenge of third-party risk management into focus, emphasizing the need for a coordinated effort involving national authorities, regulators, private corporations and technical specialists to build a robust and integrated cyber defense ecosystem.

This year’s conference underscored the importance of collaboration between government, industry, and academia to stay ahead of evolving cyber threats. By refining measurement and models, the financial sector can better manage cyber risks and ensure the resilience of the financial system. The Richmond Fed has fostered this collaboration since the first conference in 2022 and will continue to support the important focus on cybersecurity metrics and modeling in financial services.

Lisa White, Executive Vice President for Supervision, Regulation and Credit, closed the conference with this commitment: "After the past two days, it’s even clearer to me that we need to remain laser focused on this topic. Given the pace of change in this area, we are never going to fully solve or eliminate the challenges that have been discussed. This is why the opportunity to convene this type of group of experts is so helpful. Going forward, we plan to complement this conference with regular, focused engagement between the financial industry, academia and government to help navigate the uncertain and complex road ahead more effectively."

An important part of the Fed’s role in helping to ensure a safe, sound and stable banking and financial system is the supervision of banks’ cyber risk management practices. At the Richmond Fed, our Supervision, Regulation and Credit team partners with the Board of Governors and other Reserve Banks across the Federal Reserve System to provide financial institutions with resources and training opportunities to complement their cyber risk practices. An executive summary of the conference can be found here. For more information or to be added to the mailing list for upcoming events, please email CRFSconference@rich.frb.org.

Share this page on LinkedIn

Topics

Community Banking
Subscribe to News

Receive an email notification when News is posted online:

Subscribe to News

By submitting this form you agree to the Bank's Terms & Conditions and Privacy Notice.

Contact Icon Contact Us
Jim Strader