Cyber and information security risk programme

  • 1 July 2019

What is the ORX CISR programme?

We're trialling how we can support firms with their day-to-day cyber and information security risk (CISR) management. Cyber presents a significant problem to operational risk managers. Cyber and digital are both considered to be strong emerging risks, as shown in our recent Operational Risk Horizon study. And there is pressure from boards, regulators and senior management to show that these risks are being effectively managed.

The challenge operational risk professionals face is how to manage cyber and information security risks when there is a lack of data and information. This makes it difficult to understand your experiences and exposure, and compare them with your peers. It also means you are unable to see if you are taking the right risk management actions.

This is where we think ORX can help, by supporting firms to:

  • Understand their risk exposure for cyber and information risk
  • Improve how they respond to and actively manage the risk

A global community of experts

To help us work out how we can best support the industry, we've created a working group of cyber and information security experts from among a variety of our member firms. This community has identified the key activities that we are currently exploring:

  • Information sharing
  • Research
  • Events/interaction
Current working group
    ORX cyber and information security programme participants

    Join the ORX CISR programme

    Your firm can take part in this programme, even if you're not currently a member of ORX. To find how you can get involved, please contact us

    How are we doing it?

    We are currently focusing on two primary areas of the overall project, which are running simultaneously:

    • Information sharing
    • Governance and management practice standards

    Within each of these is a number of smaller workstreams concentrating on specific aspects of the cyber and information security challenge.

    Proposed timeline

    (Timings and priorities may change as the project progresses)

      ORX cyber and information security initiative timeline

      Information sharing

      The information sharing part of the programme has been split into three smaller deliverables:

      1. Definition development – completed, find out more about the definitions
      2. Sharing key controls, indicators and frameworks May-September 2019
      3. Incident data sharing (timings and details tbc)

      Information sharing papers and outputs

      ORX Cyber and Information Security Risk Programme Definitions June 2019

      Governance and practice standards

      This part of the programme is looking at:

      1. Operating models, roles, responsibilities and budgets May-July 2019
      2. Regulatory drivers and priorities (timings and details tbc)
      3. Reporting (timings and details tbc)
      4. Risk management practices (timings and details tbc)
      5. Practice standards (timings and details tbc)

      CISR programme

      Find out how your institution can become part of the ORX cyber and information security programme.

      Contact us