As shown once again in our June 2023 Top Risk Review, information security including cyber risk remains the top concern across the industry. Firms are embracing digital transformation and leveraging advanced technology solutions to drive business growth and optimise efficiencies. Therefore, risk managers are keen to ensure they are addressing the associated risks effectively, particularly given the significant potential impacts.
Following the ORX European Cyber Forum hosted by ORX Cyber in June 2023, this blog highlights the top 3 key cybersecurity concerns amongst operational risk professionals who attended the forum, as well as their top 3 cyber risk management priorities for the next 12 months.
%20(1075%20%C3%97%20768%20px)%20(950%20%C3%97%20600%20px)%20(950%20%C3%97%20500%20px)%20(850%20%C3%97%20500%20px)%20(800%20%C3%97%20500%20px).svg)
Top 3 key cybersecurity concerns
Cloud technology
Firms spoke about the exponential growth in the adoption of cloud technologies. There is considerable focus on the associated risks, both in terms of resiliency and security. From a resiliency perspective, firms are concerned with concentration risk, i.e., the industry as a whole being overly reliant on a small set of infrastructure providers. Cloud security is a shared responsibility model, but it needs to be established where an organisation’s responsibility ends and the provider’s responsibility begins.
Third party risk
Firms are concerned about not being notified by third parties when they are experiencing an incident, as well as getting the necessary detail. This is especially the case when third parties are smaller organisations. Firms are keen to investigate the most effective ways of engaging with third parties to encourage proactive sharing of risk information.
AI (Artificial intelligence)
Regarding specific technologies, there was a great debate among the Cyber Forum participants on the use of cloud-based tools like ChatGPT… “to block or not to block?” There was also discussion around roles and responsibilities needing to be clearly defined regarding AI and its use by firms. Which activities sit with the second line of defence versus the first line of defence? And, which are the responsibility of model risk teams? Another key message was that fundamentally, the risk management principles/techniques are the same, but the pace of change is perhaps different from past technological shifts.
Top 3 cyber risk management priorities for the next 12 months
Metrics and data
There is a need to define the scope and for the use of data to be clear on who owns it. Should the 1LOD and 2LOD work together to have one set of data? Or should the second line develop additional metrics based on their own data to be able to monitor the first line? The general consensus amongst the Cyber Forum attendees was that there is a further need across the board to increase maturity in this space, perhaps applying some consistency across the different organisations.
It is the ambition of many to bring data together to automate, and there were several thoughts on how people will begin to move in that direction. A clear starting point was to link data and metrics to risk appetite and think about what needs to be reported to the board and senior management versus what’s more useful for day-to-day management and for use in the first line.
DORA (Digital Operational Resilience Act)
Firms are prioritising how they can apply the DORA regulation within the cloud. There is a lot of focus on how to alleviate concerns on implementing DORA and FCA guidelines, and how to overcome difficulties adhering to DORA standards. For more insights, listen to this podcast episode from the ORX News team which explores DORA.
Quantification
This came across as a big priority since there is currently no consensus across the industry on the best approach to cyber risk quantification. Some ORX Cyber subscribers have used the FAIR methodology, and others have moved away from this.
