Four challenges of distributing cyber operational risk management responsibilities
- 13 November 2019
How does your firm allocate cyber risk management roles and responsibilities? We surveyed financial institutions to find out more about industry practice. We wanted to learn how financial institutions distribute cyber and information security risk (CISR) management responsibilities across the three lines of defence.
We conducted the survey as part of our development of a cyber risk management programme. This programme will help operational risk teams to manage and measure cyber and information security risk. The survey identified four main challenges that the institutions are currently facing.
1. A 1.5 line causes confusion over roles and responsibilities
Every firm we surveyed operated a three lines of defence (3LOD) model. Sixty per cent of them also have a ‘1.5’ or ‘1B’ line between the first and second line. But, they almost all agreed that a 1.5 line increases confusion.
In particular, a 1.5 line can reduce clarity on independent oversight and reporting. In some cases, it also reduces first line risk ownership, because these roles are not clearly defined.
2. A CISO reporting into a CIO may create a conflict of interest
The most common reporting line in the first line was the Chief Information Security Officer (CISO) reporting into the Chief Information Officer (CIO). Yet, our participants noted that this may compromise independence and impartiality.
3. Second line cyber resource is scarce
Our survey showed that cyber and information security risk resource in the second line of defence is scarce. The second line teams tend to be smaller than first line teams, having on average five employees or fewer.
Because there is limited external training aimed at cyber and information security for the second line, firms are trying to upskill their staff with internal training. On top of this, many of the companies we surveyed also said that they are finding it difficult to retain staff.
4. Low level of cyber knowledge on the board
Only 13 per cent of the firms we surveyed have a cyber and information security risk specialist on their board. All the participants agreed that this is a problem and that the board should have specialist cyber knowledge. However, our discussions indicated that there is a general feeling that the board has a little appetite to do this.
How can roles and responsibilities be better distributed?
We conducted this survey because we wanted to understand how financial institutions are currently distributing cyber roles. Once we’d collated the results, we worked with members of our cyber programme working group to come up with a suggested distribution that we think will help reduce confusion and add clarity.