A recent report from ORX Cyber on Roles and Responsibilities has revealed that 78% of banks and insurers are finding it either ‘difficult’ or ‘very difficult’ to fill cyber risk team vacancies. The report is the latest one in a series of reports from ORX Cyber on the topic, and is based on responses from 18 banks and insurance firms.We produced the report to support our clients in understanding and benchmarking cyber risk management roles and responsibilities across the three lines of defence, as well as to provide insight into key challenges such as recruitment and cyber controls oversight. ORX Cyber subscribers can download the report to read the full insights and analysis.
Scope creep in the 2LOD
The report looks at role requirements, and challenges, across three lines of defence (3LOD). Responses show that the number of those with cyber risk management responsibilities in firms’ second line of defence (2LOD) are small. In fact, over half of firms have fewer than 10 full-time equivalents (FTEs) in their 2LOD teams. This low number impacts the scope of FTEs’ roles and responsibilities, which are often blended with responsibilities including:
- Regulatory compliance
- Third party
- Technology
- Business continuity
- Physical security
Cyber risk managers are also expected to play a role in the oversight of emerging technologies such as artificial intelligence and cloud.
Diving deeper, the report reveals that over 70% of participants stated the average tenure of 2LOD teams to be over three years, during which time employees build up considerable knowledge and experience. It’s this level of expertise and specific institutional knowledge that makes it challenging for firms to replace those who do leave, a process that ORX reveals takes on average 3-6 months for half of firms, and for nearly 30% of firms takes 6 months or more.
Rising risks, and regulations
More positive than the struggle to recruit, is the finding that 28% of organisations surveyed now have a cyber risk specialist on the Board (up from 13% in the 2019 Cyber Roles & Responsibilities study). This adoption is potentially driven by firms’ struggle to keep up with rapid advancements in technology, alongside new regulations such as the Digital Operational Resilience Act (DORA), and SEC rules on cybersecurity risk management, which are also cited in the report as the drivers of change when it comes to organisations’ operating models for cyber risk management.
ORX Cyber - supporting the 2LOD
The 2025 Roles and Responsibilities report is available to all ORX Cyber subscribers. We're also running an upcoming individual firm-level benchmarks that will further help our subscribers to benchmark their allocation of cyber risk management responsibilities against their peers in the industry.
About ORX Cyber
ORX Cyber supports second line practitioners with the intelligence they need to manage and measure cyber risk. Design specifically to support financial organisations, ORX Cyber provides many benefits, including:
- Access to crucial cyber event insights through data exchange
- Collaboration and engagement with experts and your peers
- In-depth research helping you make informed decisions and improve practice