This was a hybrid, in-person and virtual conference.
The in-person portion was held at MIT.
We held the Federal Reserve / MIT Conference on Measuring Cyber Risk in the Financial Services Sector on September 7-8, 2022. We hosted experts from industry, government and academia to discuss the status of efforts to measure and track cyber risk across the financial system.
Distinguished keynote speakers and panelists reviewed the current challenges and discussed the potential ways that a comprehensive set of cyber metrics could enable system stakeholders to respond effectively to the rapidly evolving threat landscape. Topics included risk metrics and predictive statistics, threat analysis and scenario development and their relationship to operational resilience and financial stability. We concluded with a discussion of how these efforts can improve risk mitigation and some promising initiatives that could address existing challenges.
2022 Event Summary
β Executive summary (pdf, 2 pages)
β Full summary (pdf, 19 pages)
September 7, 2022 9:00AM β 5:00PM
September 8, 2022 9:00AM β 12:30PM.
Continental Breakfast
Welcome and Opening Remarks: Daniela Rus β Professor and Director of MITβs Computer Science and Artificial Intelligence Lab
The session will open with a fireside chat with Tom Barkin, President of the Federal Reserve Bank of Richmond and Andrew W. Lo, Charles E. and Susan T. Harris Professor at the MIT Sloan School of Management. Daniel Weitzner, 3Com Founders Senior Research Scientist chair at MITβs Computer Science & Artificial Intelligence Laboratory, will moderate. Andrew will also provide additional remarks on cybersecurity and the financial system.
Keynote: Kemba Eneas Walden, US White House, Office of the National Cyber Director
Keynote: Andrew W. Lo, MIT Sloan β Cybersecurity and the Financial System
Break
Panel discussions on cybersecurity, operational resilience and financial stability
Cyber resilience is a key component of firmsβ overall operational resilience. A lack of cyber resilience at individual or groups of firms makes the financial system as a whole more vulnerable to cyber events and bouts of financial instability. This panel will discuss how firms protect their most critical operations and core business lines with their own cyber resilience in mind, as well as the financial systemβs cyber resilience, considering their firmsβ critical role in the financial system. It also will explore how measures of cyber risk and resilience fit within larger measures of overall operational resilience.
Lunch
Panel discussions on evaluating cyber incidents
Measuring cyber risk requires data about security incidents related to the security posture, control failures, and resulting financial impacts of the incident. The goal of this session is to explore how firms classify and evaluate individual cyber incidents within their organizations and how these data are used to quantify and communicate risk.
Break
Panel discussions on risk metrics and predictive statistics
The quantification and analysis of cyber risk is a developing field and has not yet matured to the point where it can be consistently measured and managed against corporate risk appetites. This panel will discuss current state-of-the-art methodologies used in evaluating cyber risk, as well as existing gaps and future directions.
Day one closing comments and adjourn
Continental Breakfast
Welcome and Opening Remarks
Panel discussion on threat analysis and scenario development
This panel will focus on discussing existing approaches to understanding the major factors and players behind cyber risk threats, as well as the techniques uses, and the process of analyzing these threat and materialized events. The panelists will also discuss scenario developments approaches and existing gaps in this domain.
Break
Keynote: Jim Routh, former CISO of MassMutual and Aetna
Panel discussion on next steps
Specialists utilize existing tools and frameworks (such as NIST and FAIR) to manage firmsβ cyber risks.
However, firms often lack a way to measure, aggregate and translate granular elements into
business-level cyber risk metrics and information that can be (1) effectively communicated to business
line risk managers; (2) provided to boards, governance bodies and stakeholders; and (3) compared to
other financial service sector firms. This panel will seek to identify key gaps that could be addressed
jointly by industry and academia.
Conference Concludes
Interested in staying informed about the next steps and how we chart a way forward?
Interested in staying informed about the next steps and how we chart a way forward? Join the mailing list below to receive updates about white papers, future events, and programs. This mailing list is used exclusively for information about the joint work of MIT and the US Federal Reserve System. It is our policy not to share your details with any third parties or partner organizations.
