EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
CROs and CISOs are adopting practical strategies, such as CRQ, to embed a stronger culture of security within financial services.
In brief
- For the third consecutive year, cybersecurity remains the leading risk for financial sector CROs.
- Mature cybersecurity approaches can unlock significant business value, transforming cyber risk from a threat to a strategic advantage.
- Strengthening the collaboration between CROs and CISOs is crucial for translating cyber risk into business terms, and integrating cybersecurity into daily operations.
For the third year running, cybersecurity tops the list of risks weighing on financial sector CROs, outpacing its nearest challenger by an impressive 37 percentage points.
What is driving this ranking so consistently? Partly it’s down to cyber’s rapidly evolving nature. Emerging technologies such as GenAI and quantum computing make it harder than ever to feel confident that the risk is mitigated.
Cybersecurity is also deeply interlinked with wider business risk. From regulation to resilience to geopolitics, cyber is adding new dimensions to known threats.
Even so, it’s not all downside. Our latest Cybersecurity Leadership Insights Study found that mature cybersecurity approaches unlock genuine business value (a median of US$36m’s worth, to be precise).
So the question is: how should CROs and business leaders respond to ensure their organisations are not just protected, but positioned to thrive?
1. See the full risk picture
Cybersecurity is a risk in its own right, but must also be understood in the context of almost every other risk financial institutions face. These include:
- Geopolitical risk: as part of critical national infrastructure, FIs are prime targets for nation state actors.
- Brand risk: trust is critical when customers’ money is at stake. As AI-powered scams develop, FIs are increasingly held accountable for customers’ security, not just their own.
- Operational resilience: attacks such as ransomware can disrupt availability, leaving customers unable to access funds or services.
- Business agility: failure to adopt a ‘secure by design’ approach can impact velocity of technology adoption and product launches.
Failing to appreciate the interlinkage between cyber and wider risk means risk management strategies in each area will inevitably fall short.
2. Modernise quantification
Translating cyber risk for a non-specialist audience is a long-standing challenge. However, the increased adoption of cyber risk quantification (CRQ) is changing that, helping FIs assign monetary values to threats and enabling more informed decisions on investment prioritisation.
CROs should advocate alongside CISOs to help scale CRQ. Key enabling factors include unified data environments (e.g., data lakes), automation and AI. The AI usage in risk is embryonic, but has the potential to dramatically enhance how to assess risk areas as complex and pervasive as cyber.
3. Strengthen CRO-CISO collaboration
For too long, cyber risk has been seen as an IT problem. CISOs have tended to be highly technical experts, without experience in board-level communication, while the C-suite and board have lacked a foundational understanding of the risks.
This is changing. CISOs in cyber-mature sectors like FS have become increasingly business-savvy. At the same time, business leaders have begun to develop their understanding of cyber, particularly as digitisation has placed cyber firmly on the board agenda.
CROs, who bridge the worlds of high-level strategy and complex risk, are perfectly placed to spearhead practical strategies to accelerate this trajectory, such as:
- Establishing lines of reporting that elevate cyber strategically
- Coaching CISOs on board-level communication
- Organising cyber education sessions for the board and C-suite
- Advocating for bringing cyber expertise into the boardroom, whether through permanent members or advisors
4. Prepare to fail
While FIs are justifiably held to high standards, it’s fair to say that breaches have become a matter of when, not if.
What matters most is how executives respond, which shapes not just speed of recovery, but the level of long-term brand impact: EY analysis shows that share prices can continue to drop for 90 days following disclosure, demonstrating the importance of a well-planned response.
Breaches impact the whole company, from operations, to investor and customer-facing staff, to the board – so simulations and incident response planning must do the same, to ensure a unified response.
Third-party participation is critical here. Suppliers are often the weak link in FS defences, and their incidents (cyber-related or not) are increasingly impacting their more sophisticated clients.
Risk leaders must work closely with CISOs, CTOs, and COOs to comprehensively map and test resilience so that, in the case of an incident, the response doesn’t make the impact worse.
5. Integrate cybersecurity into the business
Long-term success demands that cybersecurity be embedded and integrated into daily operations.
What that looks like will vary by organisation. At a minimum, the CISO must be brought into strategic conversations early, but sophisticated FIs are adopting more structural models, from DevSecOps, to new “business information security officers”, or appointing cyber ambassadors within business teams.
This integrated approach not only helps mitigate risk – it actually drives value. Embedded security accelerates innovation, strengthens brand trust, and reduces friction across customer and employee experience.
By supporting the CISO to drive this change, the CRO can play an instrumental role in transforming cyber from a cost centre to a business accelerator.
Related articles
Five ways banking CROs are increasing agility
The EY/IIF bank risk management survey highlights the need for increased agility against diversifying risks. Find out more.
How can cybersecurity go beyond value protection to value creation?
The 2025 EY Global Cybersecurity Leadership Insights Study found that CISOs account for US$36m of each strategic initiative they are involved in. Read more.
Why operational resilience is a strategic priority for insurance CROs
The second annual EY/IIF insurance risk management survey highlights the importance of resilience and how CROs aim to instill it. Learn more.
Summary
In today’s hyper-connected world, cybersecurity is a business-critical risk. But it can also be a competitive advantage. With targeted investment, collaboration and a strategic mindset, FIs can reshape the future of cyber from existential threat into an enabler of long-term value.