ORX cyber programme padlock

ORX CISR programme:
Improving cyber and information security risk management

We're currently working on a programme to support firms with their day-to-day cyber and information security risk (CISR) management. This is an element of our material risks in focus work, which takes a single risk type and looks in detail at how we can support institutions to manage it.

The cyber challenge

Cyber and information security are some of the most concerning risks facing the industry today. Boards, regulators and senior management want to know that these risks are being effectively managed.

The challenge operational risk professionals face is how to manage cyber and information security risks without sufficient data and information. How can you understand your experiences and exposure and compare them with your peers? How do you know if you are taking the right risk management actions?

This is where ORX can help. We are supporting firms to:

  • Understand their risk exposure for cyber and information risk
  • Improve how they respond to and actively manage the risk
ORX cyber and information security programme participants

A global community of experts

To help us work out how we can best support operational risk functions, we've created a working group of cyber and information security experts from among a variety of our member firms.

This community has identified key activities for us to explore:

  • Information sharing
  • Research
  • Events and interaction

ORX CISR programme resources

Roles and responsibilities in CISR management
We surveyed 25 financial institutions establish where cyber and information security risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion.
CISR programme definitions
Working with participants of the ORX Cyber and information security risk (CISR) programme, we have created definitions for cyber and information security risk that we'll use throughout the project.

    Join the ORX CISR programme

    Your firm can take part in this programme, even if you're not currently a member of ORX. Being part of the cyber programme will give you insights into cyber and information security risk management that you can't get elsewhere, and give you access to a global network of experts and peers.

    Contact us to find out how you can get involved 

    How are we doing it?

    We are currently focusing on two primary areas of the overall project, which are running simultaneously:

    • Information sharing
    • Governance and management practice standards

    Within each of these is a number of smaller workstreams concentrating on specific aspects of the cyber and information security challenge.

    Information sharing

    The information sharing part of the programme has been split into three smaller deliverables:

    1. Definition development – download the definitions
    2. Sharing key controls, indicators and frameworks – in progress
    3. Incident data sharing (timings and details tbc)
    Governance and practice standards

    This part of the programme is looking at:

    1. Operating models, roles and responsibilities – see what we found out
    2. Regulatory drivers and priorities (timings and details tbc)
    3. Reporting (timings and details tbc)
    4. Risk management practices (timings and details tbc)
    5. Practice standards (timings and details tbc)

    Bringing the industry together

    As well as looking at information sharing and practice, we are also providing lots of opportunities for collaboration. We've been having regular working group meetings for those involved in the various workstreams, and we have a roundtable planned for November. The roundtable will give the participants to meet face-to-face for a full day of in-depth discussions.

    The year so far in cyber risk...

    (Stats from the ORX News service, 1 January 2019-16 September 2019)

    Over
    70
    events
    From
    28
    countries
    Losses of
    $443m
    in total

    More from ORX on cyber

    Press release
    ORX to create cyber control and indicator libraries
    Esther Britton
    27 November 2019
    ORX has gathered key controls and indicators from over 20 financial institutions based around the world. This information will allow us to create libraries of controls and indicators used for managing and monitoring cyber and information security risk.
    Information
    Four challenges of distributing cyber operational risk management responsibilities
    Melanie Lavallin
    13 November 2019
    Financial institutions face four key challenges when distributing roles and responsibilities for cyber risk management, including lack of clarity; conflict of interest; resource and capacity; and low board-level understanding of cyber and IT.
    Press release
    ORX surveys firms to find controls and indicators for cyber risk
    Esther Britton
    29 October 2019
    We are currently surveying financial firms to find out what key controls and indicators they are using to manage cyber and information security risk. This survey is being done as part of our cyber and information security risk (CISR) programme.
    Research
    Roles and responsibilities in cyber and information security risk management
    Melanie Lavallin
    24 September 2019
    We surveyed 25 financial institutions establish where cyber and information security risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion. See what we found out.
    Research
    Cyber and information security risk definitions
    Melanie Lavallin
    4 July 2019
    Working with participants of the ORX Cyber and information security risk (CISR) programme, we have created definitions for cyber and information security risk that we'll use throughout the project.
    Press release
    IMF cyber risk paper uses ORX News data
    John Bosnell
    28 June 2018
    Antoine Bouveret, an economist at the International Monetary Fund (IMF), has published a working paper “Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment”, which used ORX News data as its main input.

    Join the CISR programme

    Find out how your institution can become part of the ORX cyber and information security programme.

    Contact us