The Role of Cyber Risk Governance in US Financial Institutions

The U.S. financial sector’s rapid digital transformation has put cyber risk in the forefront as a separate and large scale issue for economic stability and public trust. In this study we look at the present state of cyber risk governance (CRG) in U.S. financial institutions which we do so by looking at which regulatory frameworks are in play, what the institutions’ governance structures are like, and which implementation gaps exist. We drew from academic research, industry reports and from established governance models which report that the sector is in the midst of a large scale change which is however not uniform. While we see institutions moving away from very technical and compliance based security measures towards more extensive strategic resilience models which in the long term will be better for the bottom line, this transition is not yet complete. We identify persistent issues which include low tech investment, a lack of cyber security experts at the board level, and the complications which come from a disjointed regulatory environment. The research ends with put forth the idea of a governance framework which was designed for artificial intelligence but which we think has application in the cyber security field to improve cross functional cooperation and to build more robust digital systems.