The New Era of Cyber Risk: Why Information Security Matters More Than Ever

By Zor Gorelov, Klaros Group and Michael Dobrovolsky, Cyence

Compared to issues like board governance, BSA/AML, and TPRM, Information Security has been a relatively low-focus risk for partner banks and their regulators. Only two formal enforcement actions by federal regulators against partner banks have involved information security risk since 2023.

But potential regulatory issues are not the only reason for partner banks to focus on information security. There is a material commercial reason for partner banks to focus on information security by enhancing risk management practices and controls. Many fintechs significantly underestimate their exposure to information security risk - not because their executives lack awareness, but because they are under intense pressure to scale rapidly, drive revenue growth, and capture market share. In the race to build products and acquire customers, information security and risk management are too often deprioritized as non-core functions, resulting in underinvestment in critical controls, weak governance, and heightened exposure to cyber, operational, and regulatory threats.. And that risk is growing as the rapid emergence and integration of artificial intelligence (AI) technologies across financial services is creating a rapidly growing reservoir of new cyber risk. 

Klaros recently partnered with Cyence to determine partner banks’ and fintechs' potential information security exposures. We found that, on average, partner banks could lose about 4–7% of their annual revenue due to cybersecurity risks. In comparison, fintech companies face potential losses of 3–5% of their annual revenue. These figures account only for tangible losses and exclude the impact of social inflation, which could substantially increase the overall estimates. The primary drivers of total losses include business interruption, first-party data breaches, and cyber extortion.

Adding AI into the mix exacerbates this risk. More than 70% of public companies in the S&P 500 now flag their use of artificial intelligence as a material risk in their public disclosures, according to a report by The Conference Board. As AI models are increasingly embedded into decision-making workflows (e.g., customer onboarding, fraud detection, credit underwriting, transaction monitoring, and customer service), they expand the attack surface for threat actors and elevate the consequences of a breach. In addition, most AI deployments involve external vendors, cloud platforms, and open-source models, which compound third-party risk in ways that current TPRM frameworks may not fully anticipate or address.

We believe partner banks and fintechs should reconsider their approach to managing information security risks. Cyence is equipped to maintain monitoring systems for banks/fintechs that need real-time solutions. For banks and fintechs that need to rethink their information security programs, Klaros can develop and provide actionable recommendations, drawing on its wealth of data and industry experience.. If you’d like to chat infosec, shoot us a note at hello@klaros.com.

About Klaros Group: Klaros Group is a boutique consulting firm that combines business know-how and deep regulatory expertise to help financial innovators and incumbents define and achieve their business goals while meeting regulatory expectations.

About Cyence: Cyence, now part of Guidewire Software, is a leading provider of data-driven cyber-risk intelligence built specifically for financial institutions and insurers. Originally founded as an independent cyber-analytics company, Cyence pioneered the use of internet-scale telemetry, behavioral modeling, and external attack-surface analytics to quantify cyber exposure in economic terms. Today, Cyence combines deep technical visibility into threat activity with actuarial-grade modeling, enabling banks to understand not just where their digital vulnerabilities lie, but what those vulnerabilities mean in terms of regulatory, operational, financial, and systemic impact. With a global customer base and a track record of supporting the world’s largest insurers and financial organizations, Cyence’s trusted status is the direct result of its rigorous practice of data science, continuously updated threat intelligence, and proven ability to translate complex cyber risks into actionable business insights for executive decision-makers.

Methodology

The Cyence modeling approach is based on a massive, continuously maintained dataset of financial-sector organization information, with scoring and predictive models calibrated against roughly $19.2 trillion in modeled annual financial-sector revenue. Drawing from more than 2,000 fintech and 30,000 financial firms within a broader pool of over 400,000 companies, Cyence models capture how revenue scale, digital footprint, and operating structure shape cyber-risk exposure. The models differentiate smaller, tech-driven entrants from far larger established institutions using targeted keyword signals, operational indicators, and revenue-based heuristics—allowing each segment to be modeled according to how it actually behaves rather than averaged together. By tying cyber exposure directly to the economic realities of modeled companies, Cyence enables financial service and fintech organizations to understand where financial losses are most likely to concentrate, how risk varies across business types, and which mitigation strategies deliver the greatest return on investment.  

Model components are periodically tested against real-world incident data, and updated accordingly to reflect the latest trends and shifts in outcomes, event pathways, and predictors.  Cyence employs methodologies that reasonably stabilize results across the timeframe, offering an informed and steady solution that the industries can rely on now and in the future.

Photo by Burst: https://www.pexels.com/photo/buildings-clear-sky-exterior-facade-374023/