An overwhelming majority of chief risk officers (CROs) from the global banking sector continue to rate cybersecurity risk as their foremost priority over the next year, well above all other measured risk factors, results from EY’s latest annual bank CRO survey have revealed.
Cyber risk – rated by 73 per cent of global CROs as a top five concern for their banks – was ranked significantly above the other high-priority risk considerations, including operational resilience (38 per cent), geopolitical risk (36 per cent), the implementation of regulatory rules and supervisory expectations (36 per cent), and data risk (for instance, privacy, governance and control, at 33 per cent), and financial crime risk (23 per cent).
While the result for cyber risk was consistent with the previous year’s ranking, cementing its spot as a “forever threat”, geopolitical risk “rocketed up the agenda this year”, ranked as the third-highest priority for CROs and second-highest for boards. This is well above its placing last year, where it was the 12th-highest near-term priority risk for both CROs and boards.
A larger percentage of CROs from smaller to medium banks (86%) in this year’s survey rated cyber risk as their foremost priority, with around 71 per cent of risk chiefs from major institutions (those above $US1 trillion in assets) holding it in the same regard, with resourcing no doubt a concern for less-moneyed institutions.
The top three CRO priority areas were echoed by boards’ own risk assessment rating, though ESG (31 per cent) and operational resilience (30%) knocked off data risk and financial crime to make it into their top five.
On emerging risks, banking industry CROs similarly rated the cybersecurity threat landscape (rated by 87 per cent of those surveyed) as the key priority focus area over the next three years.
Other tech-related risks, including data availability and integrity (55 per cent) and risks associated with use of machine learning and artificial intelligence (AI) (49 per cent) rounded out the top three emerging priorities for CROs.
Just outside of the top five, risk chiefs also rated IT obsolescence and persistent systems legacy (35 per cent), as well as the pace and breadth of change from digitisation (31 per cent), as major concerns for their banks.
In the APAC region, nearly two-thirds (67 per cent) of CROs cited data visibility in AI model training as a key constraint, which, EY notes, reflects “growing concerns about regulatory compliance and risk management in a digital landscape where AI adoption is increasing rapidly”.
“Data quality and provenance remain the most important data usage risk in the eyes of CROs. No doubt business leaders would agree, given that complete, current and accurate data is critical for the smooth functioning of both customer-facing and back-office processes, as well as enabling successful adoption of new technologies,” EY wrote in its 2025 global bank risk management survey, in its 14th edition.
For EY, the prioritisation of technology-related risks and a recognition of the implications of transformation and innovation strategies were of no real surprise given the rapid pace of digitisation and legacy systems decommissioning across industry.
The report authors also saw the progressive implementation of AI technologies as presenting “as much downside risk as it does potential to create value”.
“It has only heightened CRO awareness of risks related to technology modernisation and data enhancements.
“Machine learning (ML), cloud computing, quantum computing, and other technologies, along with their growing interdependencies, will present similar risk and challenges in the future.”
“CROs are certainly embracing AI and ML within their own teams and operations. Data analysis and automated analysis of documentation are the most common use cases.
“While CROs no longer see talent as the top constraint for adoption of AI and ML, skill gaps are a factor in their concerns about methodology and programming (e.g., building models, implementing them and managing the associated risk).”
Nevertheless, the current crop of CROs did stress their ongoing difficulties with recruiting cybersecurity professionals – “the hardest skill set to attract, especially for global systemically important bank CROs… 83% of whom say it was challenging, compared to 52% of their peers at all banks”.
Commenting on the results of the survey, Goran Stojanoski, EY Oceania financial services risk management leader noted that, over the past 12 months, the banking and capital markets sectors have seen “a step change in engagement with the AI agenda… bringing with it both new opportunities and new risks”.
This, he added, “will only intensify in the year ahead”.
“All of this is occurring in the context of increased geo-political disruption and volatility, adding to the already highly complex demands of the CRO role.”
EY surveyed 115 banks across 45 countries, with at least 10 per cent of participants from global systemically important banks.
