Roles and responsibilities in cyber and information security risk management
- 24 September 2019
ORX is currently developing a cyber and information security risk (CISR) management programme. As part of this, we surveyed 25 financial institutions to establish where cyber risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion.
We asked participants to tell us where responsibility currently sits for 24 specific risk management activities. We wanted to see how responsibilities and roles are currently distributed, and then work together to develop a model that could reduce confusion and add clarity.
Distribution of cyber and information security risk management activities
In collaboration with the working group, we’ve drafted a suggested distribution of activities across the three lines based on our survey results and discussions. Our working group agreed that typically a few activities would continue to sit across the lines, but that this is to be expected. We hope this will act as a useful guide for operational risk managers throughout the financial services industry.
Highlights from the survey
All the participants in our survey operation a three lines of defence model. We found that second line of defence cyber and information security teams typically consist of between three and five people. The operating models have been in place for between one and ten years and are continuing to evolve.
Four main challenges identified
Our survey identified four main challenges - the first of which we hope our model of roles and responsibilities above will help to solve.
- Including a 1.5 or 1B line in the three lines of defence model leads to confusion over responsibilities for the first and second line
- A CISO reporting into a CIO may create a conflict of interest
- Second line CISR resource is scarce, and firms are having to train internally to build capacity
- There is a low level of IT knowledge on the board, and CISR issues can sometimes get lost in wider operational risk discussions
Solving the problems of cyber risk management
This survey was done as part of our programme to support institutions with the management of cyber and information security risk (CISR). The programme will help you overcome the main challenges of CISR management and measurement – availability of good quality, relevant data and to compare and benchmark actual incidents.