TY - JOUR
T1 - Managing Cyber Risk in the Financial Sector
T2 - Insights from a Case Study
AU - Crovini, Chiara
AU - Marchini, Pier Luigi
PY - 2023
Y1 - 2023
N2 - This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. The research examines a listed Italian bank with the twofold aim of investigating whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzing the external dynamics affecting the CRM design. This article draws upon institutional theory and the concept of boundary objects, and the data were gathered from semi-structured interviews, direct observations, meetings, and archival sources. The findings underline that cyber risk’s rationale plays a crucial role in the CRM process. The interplay between the institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. This research extends the analysis of cyber risk and CRM and highlights the need to balance the robust and plastic components of CRM. Moreover, as a practical contribution, this case emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.
AB - This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. The research examines a listed Italian bank with the twofold aim of investigating whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzing the external dynamics affecting the CRM design. This article draws upon institutional theory and the concept of boundary objects, and the data were gathered from semi-structured interviews, direct observations, meetings, and archival sources. The findings underline that cyber risk’s rationale plays a crucial role in the CRM process. The interplay between the institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. This research extends the analysis of cyber risk and CRM and highlights the need to balance the robust and plastic components of CRM. Moreover, as a practical contribution, this case emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.
KW - cyber risk management
KW - internal control system
KW - multi-perspective approach
KW - case study
KW - financial sector
KW - risk information
U2 - 10.3280/FR2023-001004
DO - 10.3280/FR2023-001004
M3 - Journal article
SN - 2036-6779
VL - 1
SP - 97
EP - 125
JO - Financial Reporting
JF - Financial Reporting
ER -