Steve Bishop presents at OECD cyber risk workshop
- 15 May 2017
Steve Bishop, Head of Insurance and Asset Management at ORX, presented on cyber incident data capturing and sharing at the OECD workshop on improving the measurement of digital security incidents and risk management. The event took place on 12 and 13 May in Zurich, Switzerland, and Steve was there on both days.
As well as providing an overview of ORX Association, Steve discussed the work ORX has been undertaking, in conjunction with the Chief Risk Officer Forum (CROF), to use its established data exchange platform to trial the collection and anonymous sharing of cyber incident data between participating insurers. He talked through the approach taken, the challenges faced with the trial so far, as well as the potential next steps being explored.
Cyber risk categorisation project
The cyber risk categorisation project has been running since July 2016. Working closely with the CROF and our Members, we have identified a common language for categorising cyber incidents. We are now using this to support the anonymous capture and sharing of cyber incidents among project participants. This is designed to support improvements in cyber resilience and risk management, as well as the improved communication and understanding of the accumulation of cyber risks. You can find out more about the CRO Forum methodology on their website, including their original project proposal.
About the OECD workshop
The workshop was attended by representatives from governments, academic institutions, financial services firms and the OECD. Discussions were focussed on key cyber security issues and their threat to the social and economic environment. Topics included requirements for risk management practices, cyber insurance coverage, data gathering and sharing requirements, as well as new innovative practices being developed to tackle issues. Nick Kitching, CROF and Swiss Re, and Steve Bishop, ORX, presented on the CROF cyber incident trial and ORX’s capabilities to anonymously collect and share cyber incidents.
There was significant interest, both in the data categorisation and in ORX. A number of attendees are keen to follow up and investigate potentially adopting the categorisation and approach into wider academic and government approaches. With the CROF, we intend to now work further with the OECD to share the approach being taken. The OECD will also be developing a road map of actions to progress work to improve the management of cyber risk across industries and public sectors.