ORX cyber programme padlock

ORX CISR programme:
Improving cyber and information security risk management

We're currently working on a programme to support firms with their day-to-day cyber and information security risk (CISR) management. This is an element of our material risks in focus work, which takes a single risk type and looks in detail at how we can support institutions to manage it.

The cyber challenge

Cyber and information security are some of the most concerning risks facing the industry today. Boards, regulators and senior management want to know that these risks are being effectively managed.

The challenge operational risk professionals face is how to manage cyber and information security risks without sufficient data and information. How can you understand your experiences and exposure and compare them with your peers? How do you know if you are taking the right risk management actions?

This is where ORX can help. We are supporting firms to:

  • Understand their risk exposure for cyber and information risk
  • Improve how they respond to and actively manage the risk
ORX cyber and information security programme participants

A global community of experts

To help us work out how we can best support operational risk functions, we've created a working group of cyber and information security experts from among a variety of our member firms.

This community has identified key activities for us to explore:

  • Information sharing
  • Research
  • Events and interaction

ORX CISR programme resources

Roles and responsibilities in CISR management
We surveyed 25 financial institutions establish where cyber and information security risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion.
CISR programme definitions
Working with participants of the ORX Cyber and information security risk (CISR) programme, we have created definitions for cyber and information security risk that we'll use throughout the project.

    Join the ORX CISR programme

    Your firm can take part in this programme, even if you're not currently a member of ORX. Being part of the cyber programme will give you insights into cyber and information security risk management that you can't get elsewhere, and give you access to a global network of experts and peers.

    Contact us to find out how you can get involved 

    How are we doing it?

    We are currently focusing on two primary areas of the overall project, which are running simultaneously:

    • Information sharing
    • Governance and management practice standards

    Within each of these is a number of smaller workstreams concentrating on specific aspects of the cyber and information security challenge.

    Information sharing

    The information sharing part of the programme has been split into three smaller deliverables:

    1. Definition development – download the definitions
    2. Sharing key controls, indicators and frameworks – in progress
    3. Incident data sharing (timings and details tbc)
    Governance and practice standards

    This part of the programme is looking at:

    1. Operating models, roles and responsibilities – see what we found out
    2. Regulatory drivers and priorities (timings and details tbc)
    3. Reporting (timings and details tbc)
    4. Risk management practices (timings and details tbc)
    5. Practice standards (timings and details tbc)

    Bringing the industry together

    As well as looking at information sharing and practice, we are also providing lots of opportunities for collaboration. We've been having regular working group meetings for those involved in the various workstreams, and we have a roundtable planned for November. The roundtable will give the participants to meet face-to-face for a full day of in-depth discussions.

    The year so far in cyber risk...

    (Stats from the ORX News service, 1 January 2019-16 September 2019)

    Losses of
    in total

    Join the CISR programme

    Find out how your institution can become part of the ORX cyber and information security programme.

    Contact us