Roles and responsibilities in cyber and information security risk management

  • 24 September 2019

ORX is currently developing a cyber and information security risk (CISR) management programme. As part of this, we surveyed 25 financial institutions to establish where cyber risk management responsibilities sit across the three lines of defence, and to identify those areas where there is confusion.

We asked participants to tell us where responsibility currently sits for 24 specific risk management activities. We wanted to see how responsibilities and roles are currently distributed, and then work together to develop a model that could reduce confusion and add clarity.

Distribution of cyber and information security risk management activities

In collaboration with the working group, we’ve drafted a suggested distribution of activities across the three lines based on our survey results and discussions. Our working group agreed that typically a few activities would continue to sit across the lines, but that this is to be expected. We hope this will act as a useful guide for operational risk managers throughout the financial services industry.

Distribution of cyber responsiblities across 3lod

Download the report to get a copy of the distribution

ORX CISR programme - cyber and information security roles and responsibilities

Highlights from the survey

Key findings

All the participants in our survey operation a three lines of defence model. We found that second line of defence cyber and information security teams typically consist of between three and five people. The operating models have been in place for between one and ten years and are continuing to evolve.

Four main challenges identified

Our survey identified four main challenges - the first of which we hope our model of roles and responsibilities above will help to solve.

  1. Including a 1.5 or 1B line in the three lines of defence model leads to confusion over responsibilities for the first and second line
  2. A CISO reporting into a CIO may create a conflict of interest
  3. Second line CISR resource is scarce, and firms are having to train internally to build capacity
  4. There is a low level of IT knowledge on the board, and CISR issues can sometimes get lost in wider operational risk discussions

Download the report to find out more

ORX CISR programme - cyber and information security roles and responsibilities

Solving the problems of cyber risk management

This survey was done as part of our programme to support institutions with the management of cyber and information security risk (CISR). The programme will help you overcome the main challenges of CISR management and measurement – availability of good quality, relevant data and to compare and benchmark actual incidents. 

Find out how ORX can help you manage cyber risk

ORX CISR programme