Purpose: This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. It investigates
whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzes the external dynamics affecting the CRM design.
Design/methodology/approach: This article draws upon institutional theory and the concept of boundary objects. The research examines a listed Italian bank and gathers the data from semi-structured interviews, direct observations, meetings, and archival sources.
Findings: The findings underline that cyber risk rationale plays a crucial role in the CRM process. The interplay between institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk.
Originality/value: This research furthers the understanding of cyber risk and CRM as an integral part of the ERM and internal control systems in the financial sector, in which there is a shortage of case studies. The financial sector is highly regulated, and managing cyber risk has become crucial as banks usually deal with enormous amounts of personal and sensitive data stored on networks and in the cloud.
Practical implications: This case study emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.
Keywords: cyber risk management, internal control system, multi-perspective approach,
case study, financial sector, risk information.
