author photo
By Bruce Sussman
Fri | Feb 7, 2020 | 6:30 AM PST

A new national survey of financial professionals lists one type of risk standing high above the rest: cyber risk.

What are financial leaders saying about cybersecurity risk?

The annual benchmark survey by the Association for Financial Professionals surveyed 365 practitioners in treasury and finance. And for the first time, cyber risk was voted the most difficult risk to manage. And that is significant because financial leaders have a lot of risk categories to consider. (Click the graphic to expand.)


In the survey, 53% voted cyber risk as the most challenging. And 51% said it will continue to be the most difficult risk for at least the next three years.

Ironically, the financial executives in the survey ranked "financial risks" as the second most difficult to control, not the first.

The 2020 AFP Risk Report reveals that this is a drastic change:

"Cybersecurity risks are an example of the evolving risk landscape; a decade ago, only 12% of survey respondents cited cyberrisk as difficult to control. Although organizations are ramping up systems internally, they are faced with controlling increasingly malicious cyberattacks and an increase in the number of those committing crimes."

How is cybersecurity risk management a symptom of what needs to change?

The authors of the report, Marsh & McLennan, sum up the challenge of managing unknowns:

"While financial leaders are better prepared to manage known risks, the survey data points to the need to improve the ability to systematically identify new, emerging risks and analysis of known risks, such as cyber and extreme weather," said Alex Wittenberg, Executive Director, Marsh & McLennan Advantage.  

"Few organizations have adopted formal processes for engaging senior leadership and the board in a discussion of how an increasingly uncertain environment will impact strategy decisions."

What is a reasonable approach to cybersecurity and cyber risk?

SecureWorld interviewed cyber attorney Shawn Tuma after his keynote at SecureWorld Dallas. We asked him, what is reasonable cybersecurity? 

It all starts with a risk assessment, he says. He also discusses the #1 factor to incident response success, and why a national privacy and security policy is needed.

Listen to our interview on The SecureWorld Sessions podcast:

You can read interview excerpts here:
Courts and Counsel: What Reasonable Cybersecurity Looks Like

Also, here's the link to the 2020 AFP Risk Report.

Pull this data for your next board meeting on cyber risk and say something like this: "See, it's not just the security team that is paranoid about this!"