The Bank of England has published a speech on the approach financial institutions should take to managing cyber-risk. The speech argues that cyber-risk can be managed like anything else that can damage a firm's business, by understanding it and balancing investment in mitigation against similar investments needed in the business and that it is a leadership and a management issue, rather than an issue simply for the IT department. Firms should use the same governance approaches as they use in other parts of their business, which will require clear policies and standards, good management information and a sensible approach to compliance. Firms should assess the likelihood and impact of cyber-risk and the Bank suggests breaking the risk down into threats, vulnerabilities and assets (i.e. systems and information underpinning the firm’s processes) in order to do so.