Cyber risk has emerged as a key threat to financial institutions. The objective of this paper is to analyze cyber risk from an operational risk perspective and to measure cyber risk empirically. Using a novel data set on cyber attacks, we analyze the main characteristics of cyber attacks and identify patterns using correspondence analysis. We apply the loss distribution approach to the data set and show that the distribution of losses due to cyber risk has a heavy tail and is best modeled by a generalized Pareto distribution. We derive risk measures under different scenarios and show that the estimated losses are substantially larger than the size of the cyber-insurance market. Our results emphasize the need to improve the modeling of cyber risk from an operational risk perspective.