MIT Internet Policy Research Initiative

MIT/FRS Conference on Measuring Cyber Risk in the Financial Services Sector

Held on September 7 and 8, 2022
This event was free and open to the public

This was a hybrid, in-person and virtual conference.
The in-person portion was held at MIT.

We held the Federal Reserve / MIT Conference on Measuring Cyber Risk in the Financial Services Sector on September 7-8, 2022. We hosted experts from industry, government and academia to discuss the status of efforts to measure and track cyber risk across the financial system.

Distinguished keynote speakers and panelists reviewed the current challenges and discussed the potential ways that a comprehensive set of cyber metrics could enable system stakeholders to respond effectively to the rapidly evolving threat landscape. Topics included risk metrics and predictive statistics, threat analysis and scenario development and their relationship to operational resilience and financial stability. We concluded with a discussion of how these efforts can improve risk mitigation and some promising initiatives that could address existing challenges.


2022 Event Summary
Executive summary (pdf, 2 pages)
Full summary (pdf, 19 pages)

This was a hybrid, in-person and virtual conference. The in-person portion was held at MIT.

Cambridge, MA

September 7, 2022 9:00AM – 5:00PM

September 8, 2022 9:00AM – 12:30PM.

07 September 2022

8:30 - 8:55 AM

Continental Breakfast

8:55 - 9:00 AM

Welcome and Opening Remarks: Daniela Rus – Professor and Director of MIT’s Computer Science and Artificial Intelligence Lab

9:00 - 9:30AM

The session will open with a fireside chat with Tom Barkin, President of the Federal Reserve Bank of Richmond and Andrew W. Lo, Charles E. and Susan T. Harris Professor at the MIT Sloan School of Management. Daniel Weitzner, 3Com Founders Senior Research Scientist chair at MIT’s Computer Science & Artificial Intelligence Laboratory, will moderate. Andrew will also provide additional remarks on cybersecurity and the financial system.

9:30 - 10:00 AM

Keynote: Kemba Eneas Walden, US White House, Office of the National Cyber Director

10:00 - 10:30 AM

Keynote: Andrew W. Lo, MIT Sloan – Cybersecurity and the Financial System

10:30 - 11:00 AM


11:00AM - 12:30 PM

Panel discussions on cybersecurity, operational resilience and financial stability

Cyber resilience is a key component of firms’ overall operational resilience. A lack of cyber resilience at individual or groups of firms makes the financial system as a whole more vulnerable to cyber events and bouts of financial instability. This panel will discuss how firms protect their most critical operations and core business lines with their own cyber resilience in mind, as well as the financial system’s cyber resilience, considering their firms’ critical role in the financial system. It also will explore how measures of cyber risk and resilience fit within larger measures of overall operational resilience.

12:30 - 1:30 PM


1:30 - 3:00 PM

Panel discussions on evaluating cyber incidents

Measuring cyber risk requires data about security incidents related to the security posture, control failures, and resulting financial impacts of the incident. The goal of this session is to explore how firms classify and evaluate individual cyber incidents within their organizations and how these data are used to quantify and communicate risk.

3:00 - 3:30 PM


3:30 - 4:45 PM

Panel discussions on risk metrics and predictive statistics

The quantification and analysis of cyber risk is a developing field and has not yet matured to the point where it can be consistently measured and managed against corporate risk appetites. This panel will discuss current state-of-the-art methodologies used in evaluating cyber risk, as well as existing gaps and future directions.

4:45 - 5:00 PM

Day one closing comments and adjourn

08 September 2022

8:30 - 9:00 AM

Continental Breakfast

9:00 - 9:15 AM

Welcome and Opening Remarks

9:15 - 10:30 AM

Panel discussion on threat analysis and scenario development

This panel will focus on discussing existing approaches to understanding the major factors and players behind cyber risk threats, as well as the techniques uses, and the process of analyzing these threat and materialized events. The panelists will also discuss scenario developments approaches and existing gaps in this domain.

10:30 -11:00 AM


11:00 -11:30 AM

Keynote: Jim Routh, former CISO of MassMutual and Aetna

11:30 AM - 12:30PM

Panel discussion on next steps

Specialists utilize existing tools and frameworks (such as NIST and FAIR) to manage firms’ cyber risks.
However, firms often lack a way to measure, aggregate and translate granular elements into
business-level cyber risk metrics and information that can be (1) effectively communicated to business
line risk managers; (2) provided to boards, governance bodies and stakeholders; and (3) compared to
other financial service sector firms. This panel will seek to identify key gaps that could be addressed
jointly by industry and academia.

12:30 PM

Conference Concludes

Interested in staying informed about the next steps and how we chart a way forward?

Interested in staying informed about the next steps and how we chart a way forward? Join the mailing list below to receive updates about white papers, future events, and programs. This mailing list is used exclusively for information about the joint work of MIT and the US Federal Reserve System. It is our policy not to share your details with any third parties or partner organizations.