Managing cyber risk in the financial sector: Insights from a case study

Purpose: This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. It in-vestigates whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzes the external dynamics affecting the CRM design. Design/methodology/approach: This article draws upon institutional theory and the concept of boundary objects. The research examines a listed Italian bank and gathers the data from semi-structured interviews, direct observations, meet-ings, and archival sources. Findings: The findings underline that cyber risk rationale plays a crucial role in the CRM process. The interplay between institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. Originality/value: This research furthers the understanding of cyber risk and CRM as an integral part of the ERM and internal control systems in the financial sector, in which there is a shortage of case studies. The financial sector is highly regulated, and managing cyber risk has become crucial as banks usually deal with enormous amounts of personal and sensitive data stored on networks and in the cloud. Practical implications: This case study emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.

[1]  Michael K. McShane,et al.  Cyber risk management: History and future research directions , 2021, Risk Management and Insurance Review.

[2]  B. Giner,et al.  The Value Relevance of Risk Disclosure: An Analysis of the Banking Sector , 2020 .

[3]  J. Delgado‐García,et al.  How to manage corporate reputation? The effect of enterprise risk management systems and audit committees on corporate reputation , 2019, European Management Journal.

[4]  Jonathan H. Grenier,et al.  Accounting and Cybersecurity Risk Management , 2019, Current Issues in Auditing.

[5]  Chiara Crovini Risk Management in Small and Medium Enterprises , 2019 .

[6]  Lawrence A. Gordon,et al.  Cybersecurity insurance and risk-sharing , 2018, Journal of Accounting and Public Policy.

[7]  Ahmad Almogren,et al.  Improving risk assessment model of cyber security using fuzzy logic inference system , 2018, Comput. Secur..

[8]  M. Eling Cyber Risk and Cyber Risk Insurance: Status Quo and Future Research , 2018 .

[9]  T. Buck,et al.  Emerging IT Risks: Insights from German Banking , 2018 .

[10]  M. Arnaboldi,et al.  The dynamics of (dis)integrated risk management: A comparative field study , 2017 .

[11]  M. Power,et al.  Navigating Institutional Complexity: The Production of Risk Culture in the Financial Sector , 2017 .

[12]  Keyun Ruan,et al.  Introducing cybernomics: A unifying economic framework for measuring cyber risk , 2017, Comput. Secur..

[13]  Marco Maffei,et al.  Managing risk in credit cooperative banks: Lessons from a case study , 2016 .

[14]  Angelo Riccaboni,et al.  The Role of Roles in Risk Management Change: The Case of an Italian Bank , 2016 .

[15]  M. Power How accounting begins: object formation and the accretion of infrastructure , 2015 .

[16]  Sandor Boyson,et al.  Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems , 2014 .

[17]  Samir Chatterjee,et al.  Cyber-risk decision models: To insure IT or not? , 2013, Decis. Support Syst..

[18]  Iliya Markov,et al.  Risk perception and risk management in cloud computing: Results from a case study of Swiss companies , 2013, Int. J. Inf. Manag..

[19]  Walter W. Powell,et al.  From Smoke and Mirrors to Walking the Talk: Decoupling in the Contemporary World , 2012 .

[20]  A. Mikes From counting risk to making risk count: Boundary-work in risk management , 2011 .

[21]  Srinivasan Raghunathan,et al.  Cyber Security Risk Management: Public Policy Implications of Correlated Risk, Imperfect Ability to Prove Loss, and Observability of Self‐Protection , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[22]  S. L. Star,et al.  This is Not a Boundary Object: Reflections on the Origin of a Concept , 2010 .

[23]  M. Power The risk management of nothing , 2009 .

[24]  Borka Jerman-Blazic,et al.  An economic modelling approach to information security risk management , 2008, Int. J. Inf. Manag..

[25]  Lawrence A. Gordon,et al.  Cybersecurity, Capital Allocations and Management Control Systems , 2008 .

[26]  Jesse Dillard,et al.  The making and remaking of organization context , 2004 .

[27]  S. L. Star,et al.  The Ethnography of Infrastructure , 1999 .

[28]  Pamela S. Tolbert,et al.  Institutionalization and Structuration: Studying the Links between Action and Institution , 1997 .

[29]  Anthony J. Berry,et al.  Case study research in management accounting and control , 1994 .

[30]  R. Scapens Researching management accounting practice: The role of case study methods , 1990 .

[31]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[32]  C. Humphrey,et al.  The paradoxes of risk management in the banking sector , 2017 .

[33]  Rui J. Robalo,et al.  Explanations for the gap between management accounting rules and routines: An institutional approach , 2014 .

[34]  T. Ahrens,et al.  Doing Qualitative Field Research in Management Accounting: Positioning Data to Contribute to Theory , 2005 .

[35]  Michael Power,et al.  The risk management of everything , 2004 .

[36]  W. Powell,et al.  THE IRON CAGE REVISITED: , 1983, The New Economic Sociology.