Roles and responsibilities in cyber and information security risk management

As part of our work to develop a service to support cyber and information security risk (CISR) management, we surveyed 25 financial institutions to establish where cyber risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion.

We asked participants to tell us where responsibility currently sits for 24 specific risk management activities. We wanted to see how responsibilities and roles are currently distributed and then work together to develop a model that could reduce confusion and add clarity.

Distribution of cyber and information security risk management activities

In collaboration with the working group of participants, we’ve drafted a suggested distribution of activities across the three lines based on our survey results and discussions.

Our working group agreed that typically a few activities would continue to sit across the lines, but that this is to be expected. We hope this will act as a useful guide for operational risk managers throughout the financial services industry.

Highlights from the survey

Key findings

All the participants in our survey operation a three lines of defence model. We found that second line of defence cyber and information security teams typically consist of between three and five people. The operating models have been in place for between one and ten years and are continuing to evolve.

Four main challenges identified

Our survey identified four main challenges - the first of which we hope our model of roles and responsibilities above will help to solve.

1. Including a 1.5 or 1B line in the three lines of defence model leads to confusion over responsibilities for the first and second line
2. A CISO reporting into a CIO may create a conflict of interest
3. Second line CISR resource is scarce, and firms are having to train internally to build capacity
4. There is a low level of IT knowledge on the board, and CISR issues can sometimes get lost in wider operational risk discussions

Solving the problems of cyber risk management

This survey was done as part of our work to understand how ORX can support institutions with the management of cyber and information security risk. From this we developed ORX Cyber, a service which will help you overcome the main challenges of cyber risk management . 

ORX Cyber is a premium service which combines information sharing, research and collaboration to support second line cyber and information security risk managers at financial firms.

Discover ORX Cyber