If you are not aligned to the regulatory expectations on cyber security, this is a regulatory risk. But this risk is not the real problem – it’s just a symptom of a bigger problem.