Managing Cyber Risk in the Financial Sector: Insights from a Case Study

This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. The research examines a listed Italian bank with the twofold aim of investigating whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzing the external dynamics affecting the CRM design. This article draws upon institutional theory and the concept of boundary objects, and the data were gathered from semi-structured interviews, direct observations, meetings, and archival sources. The findings underline that cyber risk’s rationale plays a crucial role in the CRM process. The interplay between the institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. This research extends the analysis of cyber risk and CRM and highlights the need to balance the robust and plastic components of CRM. Moreover, as a practical contribution, this case emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.