Defining security risk appetite statements for a Financial Services client

Working with the Security and Risk functions of a Financial Services client, we defined a series of security risk appetite statements with varying degrees of criticality. For example: “We have zero appetite for customer detriment due to cyber risk.” This statement enabled the team to design metrics such as the number of databases containing customer personal information which are not protected by encryption technology.

324 turned the detailed metric set into project requirements for embedding into the change process. The higher level metrics were reported to the Board as a single dashboard.

Over time, senior management was able to see the progress towards improving their control over pre-defined areas of cyber risk, without getting lost in technical detail.

If you would like our help to define your security risk appetite, then please get in touch with us at or by phoning  +44 203 603 4733.

To find out more about our service, please click here