Cybersecurity is the number one risk for global banks

January 11, 2023
  • New EY and IIF survey finds 72% of global Chief Risk Officers (CROs) view cybersecurity as the top year-ahead risk, followed by credit and environmental risks
  • The number of CROs citing cyber-attacks as the top geopolitical risk jumped from 39% last year to 62% this year
  • Global banking CROs see climate risk, data privacy, and digitization as the top emerging risk priorities for regulators over the next five years 

LONDON AND WASHINGTON D.C. -- Amid unprecedented levels of volatility and global uncertainty, cybersecurity has returned to the top of the list of near-term risks for banks around the world, according to the latest EY and Institute of International Finance (IIF) bank risk management survey.

The 12th edition of this joint report is based on survey data from 88 banks across 30 countries and highlights the issues chief risk officers (CROs) view as the most pressing for their organizations now, and in the future.

Today’s CROs face increased complexity caused by overlapping and correlated risks, nearly all of which seem to be increasing in urgency. In the short term, nearly three out of four CROs identified cybersecurity risk as their top concern over the next 12 months (72%), edging out credit risk (59%).

Jan Bellens, EY Global Banking & Capital Markets Sector Leader, said:

“CROs are no longer juggling a tiered waterfall of risk, but a torrent of interwoven complexities that have rapidly evolved in a matter of months. The role of the CRO is in the spotlight; and, with geopolitical risk underpinning everything else on their agenda, they will need to find new and innovative ways to address competing demands. It is arguably one of the hardest jobs in the banking c-suite, facing new and hidden risks – particularly from increasingly sophisticated cyber-attacks, that will put increasing pressure on an already volatile environment.”

Reducing and understanding risk exposures

According to the survey, CROs are not confident in their ability to defend against cyber-attacks, with 58% citing their firm’s inability to manage cybersecurity risks as their top strategic risk over the next three years. The number of CROs concerned about increased cyber-attacks manifesting from geopolitical risk jumped from 39% last year to 62% this year.

On climate risk, which topped the list of emerging concerns for CROs last year, 51% of organizations stated they only had a preliminary understanding of their exposure to climate risk. The survey also highlights that only 37% of CROs see environmental risk as a top-five issue that will demand CRO attention during the next three years, a drop from 49% in last year’s research.

Andrés Portilla, Managing Director, Regulatory Affairs at the IIF, said:

“It’s clear that there’s an interconnectedness between the top risks identified by CROs this year – cybersecurity, geopolitical, and credit – and their underpinning networks. Ongoing economic volatility has only fueled the concern that CROs will be navigating an increasingly complex risk landscape over the next 12 months.”

Market volatility from geopolitical risk is major concern

Geopolitical risks play out differently by region, with almost three quarters (70%) of North American CROs concerned about cyber warfare between nation states — substantially more than their peers in Europe (46%). For CROs in the Asia-Pacific region, more than three quarters (78%) are focused on China’s changing global role, and more than two thirds (67%) say they are most worried about ongoing changes within the global trade environment. Despite the regional differences, 45% of CROs agreed that market volatility from geopolitical risk would have ‘major or moderate-to-high’ impact on exposure to market risk.

Credit risk overwhelmingly dominated global CRO’s attention (98%) in last year’s survey, but this year the worries are most pronounced among European CROs. More than three quarters (77%) of European CROs view credit risk as a top risk garnering the attention of the board of directors, relative to 45% globally.

Additional notable findings from the survey include:

  • Cyber controls are the top priority for boosting operational resilience (65%), followed by technology capacity (34%) and third-party dependencies (29%). Given the expanding need for more robust controls, 85% of respondents noted they expect the cost of controls to go up in the next three years.
  • Given the recent implosion of large crypto exchanges, CROs are operating a more conservative model on digital assets. Nearly half (49%) of banks surveyed said they are still defining their digital asset strategies.
  • CROs are also very concerned about talent and culture risks, with 57% of them noting that talent is one of the most significant long-term risks facing the banking industry.
  • In order to attract and retain the talent to build a high performing risk management function and meet the changing needs of the risk management function, the vast majority of CROs (94%) say they need some or many new skills and resources.  

For more information, read the full report.


About the Institute of International Finance (IIF)

The Institute of International Finance (IIF) is the global association of the financial industry, with about 400 members from more than 60 countries. The IIF provides its members with innovative research, unparalleled global advocacy, and access to leading industry events that leverage its influential network. Its mission is to support the financial industry in the prudent management of risks; to develop sound industry practices; and to advocate for regulatory, financial and economic policies that are in the broad interests of its members and foster global financial stability and sustainable economic growth. IIF members include commercial and investment banks, asset managers, insurance companies, professional services firms, exchanges, sovereign wealth funds, hedge funds, central banks and development banks. To learn more about IIF, please visit, follow IIF on Twitter, LinkedIn or YouTube, or check out IIF’s podcasts.

About EY

EY exists to build a better working world, helping to create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit

This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.

About the survey

The global EY organization, in conjunction with the IIF, surveyed IIF member firms and other banks in each region globally (including a small number of material subsidiaries that are top-five banks in their home countries) from June 2022 through October 2022. Participating banks’ CROs or other senior risk executives were interviewed, completed a survey, or both. In total, 88 financial institutions across 30 countries participated.

Participating banks were fairly diverse in terms of asset size, geographic reach and type of bank. Regionally, those banks were headquartered in Asia-Pacific (11%), Europe (16%), Middle East and Africa (19%), Latin America (18%) and North America (36%). Of those, 14% are globally systemically important banks (G-SIBs).