The Intersection of Financial Institutions and Technology Leaders

How To Assign a Dollar Amount to Cyber Risk

January 30, 2025

By Kiah Lau Haslett

Are banks and credit unions spending enough on cybersecurity? And even with all the spending, is it actually making institutions safer? 

Cybersecurity concerns increased for bank directors and senior leaders in 2024, according to Bank Director’s 2024 Risk Survey, sponsored by Moss Adams, with 86% of respondents saying their concerns increased “somewhat” or “significantly” in the prior 12 months. In a January speech, Federal Reserve Governor Lisa Cook said cyberattacks on financial institutions and insurers “more than doubled from 2014 and 2015 to 2020, and more than doubled again from 2020 to 2022 and 2023,” citing data from the Center for International and Security Studies at Maryland, a part of the University of Maryland. 

But when it comes down to an individual company, it’s hard to nail down the specifics of cyber risk: What risks an institution faces, the likelihood of successful intrusions and the potential fallout of a breach. This can lead to executives feeling uncertain about the steps the institution is taking to increase its cybersecurity and whether it’s spending enough — or in the right places — as they build or strengthen those defenses. But there are ways for financial institution executives to start quantifying their cyber risk and assigning dollar amounts to breaches and loss events, which may lead to better conversations and cybersecurity responses. 

Madhu Reddy, executive vice president and chief information officer at $2.8 billion Oak Brook, Illinois-based Republic Bank of Chicago, says discussions about cyber risk often rely on qualitative, subjective terms like “high,” “medium” and “low.”

“Without quantifying cyber risks, the conversation becomes subjective,” says Reddy. “[Information technology] and security teams focus on controls like vulnerability management, patching, access reviews and penetration testing. But business and finance teams view risk through the lens of dollars and cents, leading to friction between security advocating for more investment and business questioning its criticality or value.”

One reason executives may use subjective metrics when discussing cyber risk is that they start by assessing an institution’s cybersecurity controls — rather than starting with the threats their institution faces, says John MacDonald, director of risk consulting at RSM US. They’re not the same thing: Cyber risk is about the threats an institution faces, whereas cybersecurity is how a company manages or responds to that risk.

“Unfortunately, many of the frameworks out there right now aren’t threat-oriented,” MacDonald says. “They say, ‘Here’s a general set of best practices.’ Organizations look at that from a gap or improvement perspective, and think, ‘Look, we’ve got everything checked here.’”

A threat assessment includes the tactics, techniques and procedures that criminals use to breach institutions and leverages external data to understand these attacks and their total damages, he says. Executives can share with the board realistic loss amounts, the areas of greatest weakness within their institutions and what investments or changes could lower those risks. 

“You can only so go far with ‘red, green and yellow’ type of ratings for cyber risk,” says Todd Tucker, managing director of the FAIR Institute. “The second you start to quantify it, risk devolves into a more specific language.”

The FAIR Institute is a not-for-profit organization that trains and educates information security professionals in a number of industries on its factor analysis of information risk, or FAIR, model. The FAIR model breaks down risk into specific factors, tools and calculations to help organizations quantify risk, he says. The institute has 16,000 members globally, including half of the Fortune 1000, according to its site.

The model was created about 20 years ago by a chief information security officer at a large insurance firm who found he couldn’t answer directors’ questions about whether the firm’s cybersecurity spending was worth the investment, Tucker says. That CISO, Jack Jones, eventually left the industry to establish a company that sold a product based on the FAIR model; he later helped establish the institute in 2016.

While Reddy doesn’t endorse the FAIR model, he acknowledges its potential value in improving cyber risk discussions and appreciates its focus on quantifying risk as a way to empower financial institution executives and boards to make more informed decisions. And banks may have a unique advantage to using quantitative cyber risk management approaches stemming from how they manage their other major risk: credit. 

MacDonald sees parallels between how financial institutions calculate credit losses and threat-first cyber risk modeling. For instance, institutions can use historical loss data and a future forecast to calculate the “probability of default” for a portfolio of loans and the “loss given default.” Institutions could adopt these calculations as they think about the probability of different cyber incidents and the potential financial impact of the incident. 

One benefit of quantifying cyber risk is that cyber executives can also calculate the return on investment of installing controls or increasing defenses. If a bank’s potential cyber risk loss is $10 million, it can focus on adding or altering processes or controls that will lower that amount. If a vendor has a cybersecurity product or service that costs $10,000 annually but lowers the potential cyber loss by $100,000, the bank may be more interested in that product or service. Or a bank can make sure its cyber insurance coverage is better aligned with its total risk.

Quantifying risk helps determine whether you’re overspending or underspending,” Reddy says. “It shifts the conversation from subjective assessments to actionable insights, aligning security goals with business priorities.”

Kiah Lau Haslett is the Banking & Fintech Editor for Bank Director. Kiah is responsible for editing web content and works with other members of the editorial team to produce articles featured online and published in the magazine. Her areas of focus include bank accounting policy, operations, strategy, and trends in mergers and acquisitions.