MIT Internet Policy Research Initiative

2nd Annual
MIT/FRS Conference on Measuring Cyber Risk in the Financial Services Sector

January 16th and 17th, 2024
This event was free and open to the public but required registration

This was a hybrid, in-person and virtual conference
that was held at MIT.

The Federal Reserve Board of Governors, the Federal Reserve Bank of Richmond, and the Massachusetts Institute of Technology Internet Policy Research Initiative convened experts from industry, government, and academia for their second conference on efforts to measure and track cyber risk across the financial system. A common theme in the inaugural 2022 conference was that financial markets, financial services firms, researchers, and policymakers cannot manage risks that they cannot measure, and cyber risk remains difficult to quantify, despite the money spent to secure information networks. Data on cyberattacks, security failures, and losses are needed to effectively quantify and mitigate cyber risk. Today, however, these data are lacking, and without them, financial institutions and the financial system are left more vulnerable. The 2022 conference closed with a call for a collaborative effort to develop a common set of metrics and reporting format to enable senior managers and boards of directors to assess and manage their organizations’ cyber risk.

2024 Event Summary
Executive summary (pdf, 3 pages)
Full summary (pdf, 18 pages)
Agenda (pdf, 3 pages and below)

2022 Event Summary
Executive summary (pdf, 2 pages)
Full summary (pdf, 19 pages)
Agenda (previous, 2022)

The January 2024 built on the inaugural meeting and review progress made. Distinguished keynote speakers and panelists reviewed advances made in developing a comprehensive set of cyber metrics and discussed the challenges that remain in today’s rapidly evolving threat landscape. Topics included risk metrics and predictive statistics, threat analysis and scenario development, the relationship of these methods to operational resilience and financial stability, and challenges for the future.

LOCATION
This was a hybrid, in-person and virtual conference, with the in-person portion at MIT.

Cambridge, MA

 

DATE & TIME

January 16, 2024: 8:30AM – 5:00PM

January 17, 2024: 8:30AM – 12:30PM

 

16 January 2024

8:30 - 8:55 AM

Continental Breakfast

8:55 - 9:00 AM

Welcome: Daniel Weitzner, Senior Research Scientist, CSAIL, MIT; Founder of the MIT Internet Policy Research Initiative

9:00 - 9:30AM

Keynote: Harriet Pearson
Executive Deputy Superintendent. Cybersecurity Division Head, New York State Department of Financial Services

9:30 - 10:45 AM

Panel discussion:  Cyber risk measurement and management from the Chief Risk Officer’s perspective

Cyber resilience is a key component of firms’ overall operational resilience, and the Chief Risk Officer is responsible for building that resilience within their organizations. This panel brings together CROs from leading financial institutions to discuss what they view as best practices in measuring and managing cyber risk, how they get buy-in for those best practices from corporate leadership, and how they ensure those best practices are implemented across their organizations.

10:45 - 11:15 AM

Break

11:15 AM - 12:30 PM

Panel discussion: Advances and challenges in measuring and modeling cyber risk

Measuring cyber risk requires data about security incidents related to the security posture, control failures, and resulting financial impacts of the incident. Yet, the quantification and analysis of cyber risk is a developing field and has not yet matured to the point where it can be consistently measured and managed against corporate risk appetites. This panel discusses current state-of-the-art methodologies used in evaluating cyber risk, emphasizing recent advances as well as existing gaps and future directions.

12:30 - 1:30 PM

Networking Lunch

1:30 - 2:00 PM

Keynote: James Wiener, Partner and Vice Chair, Oliver Wyman

2:00 - 2:30 PM

Break

2:30 - 3:45 PM

Panel discussion: Systemic cyber risk and financial stability

A lack of cyber resilience at individual financial institutions, their counterparties, and along the supply chain makes the financial system as a whole more vulnerable to cyber incidents and bouts of financial instability. This panel discusses how financial-sector firms advance their own cyber resilience with the broader financial system in mind; how policymakers approach strengthening the financial system’s cyber resilience; and opportunities for both groups to advance individually and in concert.

3:45 - 4:00 PM

Short break

4:00 - 4:30 PM

Keynote: Vinod Vaikuntanathan, Cryptographer and Professor of Computer Science, MIT

4:30 - 4:45 PM

Day one closing comments and adjourn

17 January 2024

8:30 - 9:00 AM

Continental Breakfast

9:00 - 9:15 AM

Welcome and Opening Remarks
Michael Barr, Vice Chair for Supervision, Board of Governors of the Federal Reserve System

9:15 - 9:45 AM

Keynote: Arthur Lindo, Deputy Director for Policy, Supervision and Regulation, Board of Governors of the Federal Reserve System 

9:45 - 11:00 AM

Panel Discussion: Cyber risk measurement and management from the corporate board member’s perspective

Cyber risk is a technical area, and the risk landscape seems to be constantly evolving. Corporate boards are responsible for overseeing the risk, and there are calls for boards to have more expertise in cybersecurity. How can boards ensure cyber risk is embedded in strategic decisions? How can they best interact with the CISO and CRO to understand their organization’s cyber risk posture? How can they monitor cyber resilience? This panel brings together experts in board governance to discuss what they view as best practices in measuring and managing cyber risk, how they get buy-in for those best practices from corporate leadership, and how they ensure those best practices are implemented across their organizations.

11:00 - 11:30 AM

Break

11:30 AM - 12:30 PM

Panel discussion: Challenges for the future

The nature of cyber risk in the financial system will continue to evolve with advances in technology and cyber risk management.  The conference to this point has focused on progress made in measuring and monitoring the risk.  Sometimes, for all the progress made, the urgent is the enemy of the important. This panel concludes the conference by looking ahead to the aspects of cyber risk that might not be getting as much attention as perhaps they deserve.  What are those risks?  How does the financial sector prepare for the risks of tomorrow while managing the risks of today? 

12:30 PM

Conference Concludes

Interested in staying informed about the next steps and how we chart a way forward?

Interested in staying informed about the next steps and how we chart a way forward? Join the mailing list below to receive updates about white papers, future events, and programs. This mailing list is used exclusively for information about the joint work of MIT and the US Federal Reserve System. It is our policy not to share your details with any third parties or partner organizations.