ORX Cyber reflects on the progress made in 2024, celebrating key achievements and strengthened collaboration with subscribers, while looking ahead to new priorities and opportunities in 2025.
As we kick off our work in 2025, we reflect on another successful year for ORX Cyber. Working together with the Cyber Community, the service identified eight key cyber risk management priorities in our thought leadership paper, tackled how organisations are managing the risks associated with AI and explored how firms are approaching cyber risk quantification through our research papers. We also developed and enhanced our data services to provide better insights to subscribers and continued to offer valuable networking opportunities where the community can share experiences and learn from their peers.
Keep reading to learn more about what we’ve achieved over the past year and how it could benefit your organisation, as well as our plans for the year ahead.
Research & practice
Faster & safer: Priorities for cyber risk management
With emerging cyber threats continuing to grow, this thought leadership paper from ORX Cyber reviews the current state of cyber risk management and investigates how firms can be more proactive and prepared for the challenges the next 12-18 months may bring. Based on discussions with over 30 senior cyber risk leaders, this white paper presents eight key priorities for institutions to strengthen their cyber risk management through better practices and an open mindset. There is a clear call for standardisation and collaboration across the cyber risk management space that will facilitate the industry in making the necessary progress faster.
Risk management considerations for generative AI
Following the release and significant growth of generative AI tools, ORX Cyber (in partnership with the ORX Data Science Community) took a deeper dive into how organisations are managing the risks associated with this emerging technology. The adoption of GenAI naturally has the potential to impact several risk areas - not least information security, data management, and external fraud - and these risks need to be managed and mitigated accordingly. As highlighted by this paper, careful, cross-functional oversight with a clear governance structure is required to adequately manage the rapidly evolving role of GenAI within institutions. The full report explores the top risks and concerns associated with GenAI in further detail and examines how firms are approaching risk management. With 75% of firms indicating that they are already using GenAI tools to some extent, firms need to be proactive in their risk management of GenAI to be prepared to harness the true potential of future wide-scale use of such tools.
Cyber Risk Quantification Study 2024
Following on from our work on Cyber Risk Quantification in 2022, this report examines the progression of the industry in relation to this key area of cyber risk management. The 2024 study highlights several challenges, including data adequacy, skill availability, and the broad range of methods and goals across the industry. Institutions see the value in an effective quantification approach, and there remains a desire to move towards a more quantitative approach. However, with no “one-size-fits-all” methodology available yet, it remains up to each firm to develop their approach to suit their purposes.
Plans for 2025
In 2025, we will continue to focus our research agenda to meet subscriber needs. Our pilot Cyber Horizon study, which analyses key trends across the emerging cyber threat landscape, will be published in Q1. In H1, we will also conclude our refresh of Cyber Roles & Responsibilities, a topic identified as a key priority at our 2024 Cyber Forums. Our research theme for H2 will be third- (and nth-) party risk management, with a series of activities to support subscribers in managing this critical risk.
Data & benchmarking
Cyber Event Data Exchange
✓ Following discussions with our subscribers, ORX Cyber identified opportunities to further develop and enrich the Cyber Event Data Exchange, which now includes 469 events. In August 2024, we introduced several schema updates based on subscriber feedback. These updates included aligning cyber control failures to NIST 2.0, refreshing specific fields, and adding new fields to enhance the data collected. For more information on what data is collected, see the Cyber Reporting Standards (C-ORRS). For insights into trends from the 2024 Cyber Event Data, see our Quarterly Infographics and Quarterly Information Packs.
Controls and Indicators Benchmark
The ORX Cyber Controls and Indicators Benchmark provides a novel, aggregate view of institutions’ comparative maturity in this area of cyber risk management practice. Nine organisations took part in the benchmarking process this year and received a personalised benchmark report comparing their organisation to the wider industry. Controls are assessed against the NIST framework, while indicators are assessed against ORX’s own bespoke list, aligned with the functions of the NIST framework.
Plans for 2025
Our focus for 2025 for the Event Data Exchange will be on improving data quality and enhancing reporting before migrating to Agora, our next-generation data exchange platform. We also plan to review the Controls & Indicators exercise and make improvements to ensure that the reports deliver as much value as possible, including updating the controls collected to version 2.0 of the NIST framework.
Networking & community
European Cyber Forum 2024 & North American Cyber Forum 2024
We were delighted to host ORX Cyber Forums in Europe and North America again this year, bringing together almost 60 cyber risk professionals from over 30 organisations to network and generate ideas for the future of cyber risk management. Key topics and priorities covered at the forums included embracing and harnessing AI's growth, addressing new global resilience regulations, and tackling the emerging problems of deepening ecosystem and third-party risk.
Cyber Service Working Group & Cyber Definitions Working Group
ORX held regular meetings of both the Cyber Definitions Working Group (CDWG) and the Cyber Service Working Group (CSWG) throughout 2024, facilitating the discussion of cyber risk topics, guiding members through the work of ORX Cyber, and allowing subscribers to pose pertinent questions to their peers. We aim to continue holding quarterly meetings of both groups, as well as hosting additional calls for in-depth discussions on key topics as needed. We are always keen to have our members and subscribers contribute and help shape the agendas of these groups.
Plans for 2025
We will once again hold in-person European and North American forums in 2025 and would love to see both returning and new faces at these events. Our CDWG and CSWG will continue to meet regularly throughout 2025, and we encourage you to send in any questions you may have for your peers or topics you wish to discuss. We will also host our first Cyber Community Webinar on 4 February. Aimed at those who aren’t typically involved in the day-to-day activities of the ORX Cyber working groups, this recorded information session will highlight our recent work and key findings that you may have missed.
We would like to thank all our subscribers for their valuable contributions throughout 2024. If you would like to find out more about the work of ORX Cyber or get involved in our community then we’d love to hear from you! 
