Managing cyber risk in the financial sector: Insights from a case study

Author/s Chiara Crovini, Pier Luigi Marchini
Publishing Year 2023 Issue 2023/1 Language English
Pages 29 P. 97-125 File size 201 KB
DOI 10.3280/FR2023-001004
DOI is like a bar code for intellectual property: to have more infomation click here

Below, you can see the article first page

If you want to buy this article in PDF format, you can do it, following the instructions to buy download credits

Article preview

FrancoAngeli is member of Publishers International Linking Association, Inc (PILA), a not-for-profit association which run the CrossRef service enabling links to and from online scholarly content.

Purpose: This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. It in-vestigates whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzes the external dynamics affecting the CRM design. Design/methodology/approach: This article draws upon institutional theory and the concept of boundary objects. The research examines a listed Italian bank and gathers the data from semi-structured interviews, direct observations, meet-ings, and archival sources. Findings: The findings underline that cyber risk rationale plays a crucial role in the CRM process. The interplay between institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. Originality/value: This research furthers the understanding of cyber risk and CRM as an integral part of the ERM and internal control systems in the financial sector, in which there is a shortage of case studies. The financial sector is highly regulated, and managing cyber risk has become crucial as banks usually deal with enormous amounts of personal and sensitive data stored on networks and in the cloud. Practical implications: This case study emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.

Keywords: cyber risk management, internal control system, multi-perspective ap-proach, case study, financial sector, risk information.

Jel codes: G21, G28, M41, M48

  1. Ahrens T. and Chapman C. S. (2006), Doing qualitative field research in management accounting: Positioning data to contribute to theory, Accounting, Organizations and Society, 31, pp. 819-841.
  2. Alali M., Almogren A., Hassan M. M., Rassan I. A. L. and Bhuiyan M. Z. A. (2018), Improving risk assessment model of cyber security using fuzzy logic inference system, Computers and Security, 74, pp. 323-339.
  3. Alali M. and Almogren A. (2017), Fuzzy logic methodology for cyber security risk mitigation approach, Journal of Networking Technology, 8(3), pp. 83-90.
  4. Aldasoro I., Gambacorta L., Giudici P. and Leach T. (2020a), Operational and Cyber Risks in the Financial Sector. (Basel – Switzerland: Bank for International Settlements).
  5. Aldasoro I., Gambacorta L., Giudici P. and Leach T. (2020b), The Drivers of Cyber Risk. (Basel – Switzerland: Bank for International Settlements). -- Available at:
  6. Allini A. and Manes-Rossi F. (2014), Do corporate governance characteristics affect non-financial risk disclosure in government-owned companies? The Italian experience, Financial Reporting, 1, pp. 5-31. DOI: 10.3280/FR2014-001001
  7. Ammirato S., Sofo F., Felicetti A. M. and Raso C. (2019), The potential of IoT in redesigning the bank branch protection system: An Italian case study, Business Process Management Journal, 25(7), pp. 1441-1473. DOI: 10.1108/BPMJ-04-2018-0099
  8. Arena M., Arnaboldi M. and Palermo T. (2017), The dynamics of (dis)integrated risk management: A comparative field study, Accounting, Organizations and Society, 62, pp. 65-81.
  9. Ashby S., Buck T., Nöth-Zahn S. and Peisl T. (2018), Emerging IT risks: Insights from German banking, Geneva Papers on Risk and Insurance – Issues and Practice, 43(2), pp. 180-207.
  10. Association of Certified Fraud Examiners (ACFE) (2018), Report to the Nation: Occupational Fraud and Abuse. (ACFE). -- available at:
  11. Aureli S. and Salvatori F. (2013), Investigation of risk management and risk disclosure practices of Italian listed local utilities, Financial Reporting, 1, pp. 121-167. DOI: 10.3280/FR2013-001006
  12. Banca d’Italia, Circolare 285/2013 Disposizioni di vigilanza per le banche – First part, Tit. IV, Chap. 4, section V. -- available at: vigilanza/normativa/archivio-norme/circolari/c285/?dotcache=refresh.
  13. Barley S. R. and Tolbert P. S. (1997), Institutionalization and structuration: Studying the links between action and institution, Organization Studies, 18(1), pp. 93-117. DOI: 10.1177/017084069701800106
  14. Bodin L. D., Gordon L. A., Loeb M. P. and Wang A. (2018), Cybersecurity insurance and risk-sharing, Journal of Accounting and Public Policy, 37(6), pp. 527-544.
  15. Bojanc R. and Jerman-Blažič B. (2008), An economic modelling approach to information security risk management, International Journal of Information Management, 28(5), pp. 413-422.
  16. Boyson S. (2014), Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems, Technovation, 34(7), pp. 342-353.
  17. Brender N. and Markov I. (2013), Risk perception and risk management in cloud computing: Results from a case study of Swiss companies, International Journal of Information Management, 33(5), pp. 726-733.
  18. Bromley P. and Powell W. W. (2012), From smoke and mirrors to walking the talk: Decoupling in the contemporary world, Academy of Management Annals, 6, pp. 483-530.
  19. Caldarelli A., Fiondella C., Maffei M. and Zagaria C. (2016), Managing risk in credit cooperative banks: Lessons from a case study, Management Accounting Research, 32, pp. 1-15.
  20. Carlile P. R. (2002), A pragmatic view of knowledge and boundaries: Boundary objects in new product development, Organization Science, 13(4), pp. 355-457. DOI: 10.1287/ORSC.13.4.442.2953
  21. Carlile P. R. (2004), Transferring, translating, and transforming: An integrative framework for managing knowledge across boundaries, Organization Science, 15(5), pp. 555-568. DOI: 10.1287/ORSC.1040.0094
  22. Crovini C., Giunta F., Nielsen C. and Simoni L. (2022a), Do companies disclose relevant information about intangibles? Insights from business model reporting and risk reporting, ICAS-EFRAG. -- Available at: assets/pdf_file/0008/610892/Insights_Intangibles_Report_Final.pdf.
  23. Crovini C., Schaper S. and Simoni L. (2022b), Dynamic accountability and the role of risk reporting during a global pandemic, Accounting, Auditing and Accountability Journal, 35(1), 169-185. DOI: 10.1108/AAAJ-08-2020-4793
  24. Crovini C. and Ossola G. (2021), Is risk reporting a possible link between financial and management accounting in private firms?, Financial Reporting, 1, pp. 29-60.
  25. Crovini C. (2019), Risk Management in Small and Medium Enterprises (Oxon, UK: Routledge).
  26. Crovini C., Ossola G. and Marchini P. L. (2018), Cyber risk: The new enemy for risk management in the age of globalisation, Management Control, 2, pp. 135-155.
  27. De Luca F. and Phan H.-T.-P. (2019), Informativeness assessment of risk and risk-management disclosure in corporate reporting: An empirical analysis of Italian large listed firms, Financial Reporting, 2, pp. 9-41. DOI: 10.3280/FR2019-002002
  28. Dillard J. F., Rigsby J. T. and Goodman C. (2004), The making and remaking of organization context: Duality and the institutionalization process, Accounting, Auditing and Accountability Journal, 17(4), pp. 506-542. DOI: 10.1108/09513570410554542
  29. DiMaggio P. J. and Powell W. W. (1983), The iron cage revisited: Institutional isomorphism and collective rationality in organizational fields, American Sociological Review, 48(2), pp. 147-160.
  30. Durst S. and Henschel T. (2020), Knowledge risk management – State of research, in S. Durst and T. Henschel (Eds.), Knowledge Risk Management. From Theory to Praxis, pp. 3-10 (Springer Nature). DOI: 10.1007/978-3-030-35121-2_1
  31. Durst S., Bruns G. and Henschel T. (2018), The management of knowledge risks: What do we really know?, in Global Business Expansion: Concepts, Methodologies, Tools, and Applications, pp. 258-269 (IGI Global). DOI: 10.4018/978-1-5225-5481-3.CH013
  32. Eaton T., Grenier J. H. and Layman D. (2019), Accounting and cybersecurity risk management, Current Issues in Auditing, 13(2), pp. 1-9.
  33. Eisenhardt K. M. (1989), Building theories from case study research, Academy of Management Review, 14(4), pp. 532-550. DOI: 10.2307/258557
  34. Eling M. (2018), Cyber risk and cyber risk insurance: Status quo and future research, Geneva Papers on Risk and Insurance: Issues and Practice, 43(2), pp. 175-179.
  35. Eling M., McShane M. and Nguyen T. (2021), Cyber risk management: History and future research directions, Risk Management and Insurance Review, 24(1), pp. 93-125.
  36. European Banking Authority (EBA (2017), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP). -- Available at: ICT+Risk+Assessment+under+SREP+%28EBA-GL-2017-05 %29.pdf/ef88884a-2f04-48a1-8208-3b8c85b2f69a.
  37. European Union (EU) (2016), Directive 2016/1148 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union. -- Available at: :32016L1148&from=IT.
  38. Financial Services Authority (2006), Business Continuity Management Practice Guide (Financial Services Authority).
  39. Foster H. (1993), Resilience theory and system evaluation, in Verification and Validation of Complex Systems: Human Factors, pp. 35-60 (NATO ASI S. Springer US).
  40. Giner B., Allini A. and Zampella A. (2020), The value relevance of risk disclosure: An analysis of the banking sector, Accounting in Europe, 17(2), pp. 129-157. DOI: 10.1080/17449480.2020.1730921
  41. Giovannoni E., Quarchioni S. and Riccaboni A. (2016), The role of “roles” in risk management change: The case of an Italian bank, European Accounting Review, 25(1), pp. 109-129. DOI: 10.1080/09638180.2014.990475
  42. Gordon L. A., Loeb M. P., Sohail T., Tseng C. Y. and Zhou L. (2008), Cybersecurity, capital allocations and management control systems, European Accounting Review, 17(2), pp. 215-241. DOI: 10.1080/09638180701819972
  43. Institute of Risk Management (IRM) (2014), Cyber Risk. Resources for Practitioners.
  44. ISACA (2012), COBIT 5 for Information Security. -- Available at:
  45. ISO/IEC (2018), Information Security Risk Management. -- Available at:
  46. Italian Ministry of Defence (2019), Documento Programmatico Pluriennale per la Difesa per il triennio 2019-2021. -- Available at:
  47. Kaplan R. S. and Mikes A. (2016), Risk Management – The Revealing Hand, pp. 16-102. -- Available at: Files/16-102_ 397b963b-1a8b-4dcf-942f-e45acc8c9e96.pdf.
  48. Law Decree 81/2021 – Regolamento in materia di notifiche degli incidenti aventi impatto su reti, sistemi informativi e servizi informatici di cui all'articolo 1, comma 2, lettera b), del decreto-legge 21 settembre 2019, n. 105, convertito, con modificazioni, dalla legge 18 novembre 2019, n. 133, e di misure volte a garantire elevati livelli di sicurezza. -- available at: 21G00089/sg.
  49. Lim C. Y., Woods M., Humphrey C. and Seow J. L. (2017), The paradoxes of risk management in the banking sector, British Accounting Review, 49(1), pp. 75-90.
  50. Mikes A. (2009), Risk management and calculative cultures, Management Accounting Research, 20(1), pp. 18-40. DOI: 10.1016/J.MAR.2008.10.005
  51. Mikes A. (2011), From counting risk to making risk count: Boundary-work in risk management, Accounting, Organizations and Society, 36, pp. 226-245.
  52. Mukhopadhyay A., Chatterjee S. and Saha D. (2013), Cyber-risk decision models: To insure IT or not?, Decision Support Systems, 56, pp. 11-26.
  53. National Association of Insurance Commissioners (NAIC) (2018), Report on the Cybersecurity Insurance and Identity Theft Coverage Supplement. -- available at: 2018.pdf.
  54. National Institute of Standards and Technology (NIST) (2018), Cybersecurity Framework. -- available at:
  55. Öğüt H. and Menon N. (2005), Cyber insurance and IT security investment: Impact of interdependent risk, in Fourth Workshop on the Economics of Information Security (WEIS). (Harvard).
  56. Öğüt H., Raghunathan S. and Menon N. (2011), Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection, Risk Analysis, 31(3), pp. 497-512.
  57. Otley D. and Berry A. J. (1994), Case study research in management accounting and control, Management Accounting Research, 5(1), pp. 45-65.
  58. Palermo T., Power M. and Ashby S. (2017), Navigating institutional complexity: The production of risk culture in the financial sector, Journal of Management Studies, 54(2), pp. 154-181.
  59. Pérez-Cornejo C., Delgado-García E. de and Quevedo-Puente J. B. (2019), How to manage corporate reputation? The effect of enterprise risk management systems and audit committees on corporate reputation, European Management Journal, 37(4), pp. 505-515.
  60. Poon M. (2009), From new deal institutions to capital markets: Commercial consumer risk scores and the making of subprime mortgage finance, Accounting, Organizations and Society, 34(5), pp. 654-674. DOI: 10.1016/J.AOS.2009.02.003
  61. Power M. (2004), The risk management of everything, Journal of Risk Finance, 5(3), pp. 58-65.
  62. Power M. (2009), The risk management of nothing, Accounting, Organizations and Society, 34(6-7), pp. 849-855.
  63. Power M. (2015), How accounting begins: Object formation and the accretion of infrastructure, Accounting, Organizations and Society, 47, pp. 43-55.
  64. PricewaterhouseCoopers (PwC) (2018), Global Economic Crime and Fraud Survey 2018. -- available at:
  65. Robalo R. (2014), Explanations for the gap between management accounting rules and routines: An institutional approach, Revista de Contabilidad, 17(1), pp. 88-97.
  66. Ruan K. (2017), Introducing cybernomics: A unifying economic framework for measuring cyber risk, Computers & Security, 65, pp. 77-89.
  67. Saldaña J. (2012), The Coding Manual for Qualitative Researchers (2nd ed.). (Los Angeles: SAGE).
  68. Scapens R. W. (1990), Researching management accounting practice: The role of case study methods, British Accounting Review, 22(3), pp. 259-281. DOI: 10.1016/0890-8389(90)90008-6
  69. Scott R. W. (2013), Institutions and Organizations. Ideas, Interests, and Identities (4th ed.). (SAGE Publications, Inc.). --
  70. Star S. L. (1999), The ethnography of infrastructure, American Behavioural Scientist, 43(3), pp. 377-391. DOI: 10.1177/00027649921955326
  71. Star S. L. (2010), This is not a boundary object: Reflections on the origin of a concept, Science, Technology, & Human Values, 35(5), pp. 601-617.
  72. Tsang H. W. C. and Lee W. B. (2020), An integrated research methodology to identify and assess knowledge risk in a corporation with application to a financial institution, in S. Durst and T. Henschel (Eds.), Knowledge Risk Management, pp. 135-158 (Springer). DOI: 10.1007/978-3-030-35121-2_9

Chiara Crovini, Pier Luigi Marchini, Managing cyber risk in the financial sector: Insights from a case study in "FINANCIAL REPORTING" 1/2023, pp 97-125, DOI: 10.3280/FR2023-001004