As cyber threats continue to evolve, organizations are being urged to update their metrics, risk management strategies, and incident response plans. This was the main message at the 2025 Cyber Risk in the Financial Sector Conference, which took place in October and was co-hosted by the Federal Reserve Bank of Richmond, the Federal Reserve Board of Governors, and the Massachusetts Institute of Technology’s Internet Policy Research Initiative. The event focused on “Putting Cyber Metrics into Action” and brought together experts from industry, government, and academia to address growing cyber risks in the financial sector.
Panelists highlighted that basic cyber hygiene remains essential for managing risk. They noted that many incidents stem from failures to implement these fundamental procedures. The conference also addressed challenges in harmonizing risk management standards across different jurisdictions, especially between the U.S. and European Union. Inconsistent incident reporting requirements were cited as obstacles to effective information sharing.
The impact of new technologies such as artificial intelligence (AI) and quantum computing on cybersecurity was a major topic of discussion. Participants said AI is being used by both defenders and attackers to automate activities, potentially increasing the speed at which vulnerabilities are exploited. However, they also expressed optimism that AI could help cybersecurity professionals respond more efficiently if deployed responsibly with human oversight.
Anna Kovner of the Federal Reserve Bank of Richmond joined other industry leaders in discussing efforts to build actionable cyber risk models. Quantum computing was identified as a significant concern because it could eventually break current encryption methods, requiring firms to overhaul data protection measures well in advance.
Debate emerged over how best to quantify cyber risks. While some questioned existing analytics’ reliability due to inconsistent data quality, there was general agreement that better data collection and sharing would improve modeling efforts. Combining quantitative analysis with expert judgment was recommended as an effective way forward.
An international panel discussed how severe cyber incidents could affect global financial stability if critical service providers lack redundancy. The need for coordinated action among regulators, private companies, national authorities, and technical experts was emphasized.
Lisa White, Executive Vice President for Supervision, Regulation and Credit at the Richmond Fed, closed the conference by stating: “After the past two days, it’s even clearer to me that we need to remain laser focused on this topic. Given the pace of change in this area, we are never going to fully solve or eliminate the challenges that have been discussed. This is why the opportunity to convene this type of group of experts is so helpful. Going forward, we plan to complement this conference with regular, focused engagement between the financial industry, academia and government to help navigate the uncertain and complex road ahead more effectively.”
The Richmond Fed stated its ongoing commitment to supervising banks’ cyber risk management practices through collaboration with other reserve banks and providing resources for financial institutions.
