This year, ORX Cyber hosted two forums – one in London and one in New York. We were joined by over 50 senior leaders in cybersecurity from around the world to discuss key issues and share insights on cyber and technology risk. Topics included AI, resilience regulations and ecosystem risk.
The events provided a unique opportunity for second line cyber risk management leaders to network amongst peers and share experiences.This blog summarises our key takeaways.
52
Cyber Risk Leaders
31
Firms
4
Regions
Top priorities from the forums
AI
Unsurprisingly, AI remains a key focus for attendees across both locations. There was a notable difference when compared to last year’s events, with many attendees now embracing the use of AI technologies. However, firms are still grappling with how to safely scale its use, and work continues in developing robust governance and control frameworks, often involving multi-disciplinary teams to provide the required expertise. Typically, firms were starting with simple use cases, with little to no customer impact and then considering scaling. There was a notable increase in organisations using products internally to increase productivity and drive efficiencies.
As well as the use and safe implementation of AI, attendees also spoke about the increasing threats of AI supported attacks and new threats such as deepfakes.
Global regulators start implementing new resilience regulation
The implementation of DORA was on the minds of European attendees, many of whom are conscious of the challenging implementation timelines. Most feel that, whilst the regulation is wide ranging, they will achieve “in spirit” compliance in readiness for 2025. ORX will be hosting further discussion sessions on DORA in November 2024. All members and ORX Cyber subscribers can register for the event here.
Meanwhile, in North America, attendees were also focused on resilience. The challenge of achieving compliance in a global environment where there is conflicting guidance, regulation and legislation was highlighted. Whilst updated regulation was also front of mind for Canadian attendees. The updated Operational Risk Management and Resilience – Guideline – Office of the Superintendent of Financial Institutions, published in August 2024, sets out the relationship between operational risk and operational resilience. Like the regulation we have seen in Australia via CPS230, both regulators are seeking to bring together resilience and risk management. The Canadian guidance seeks the outcome that sound operational risk management practices support operational resilience. ORX supports this approach and sees the benefit of coupling these two practices. Developing end to end views of business processes will help support sound operational risk management and resilience programmes and we believe the introduction of the ORX Reference Process and Service Library will also support this. For an update on this work, please read our blog: Paper identifies leading practices for process and service libraries.
Ecosystem risk
Third party or “ecosystem risk” discussions featured across both locations. With the rise of digitalisation, the increasing number of third parties and how they integrate within the ecosystem of a firm is becoming more and more challenging to manage and oversee. Not just at our cyber forums, but through our LeadersConnect community meetings, we are consistently hearing attendees unanimously agree that more needs to be done. The industry is calling upon best practice to be shared to achieve consistency in due diligence and oversight processes to evolve and improve practice. Without doubt, sharing best practice will help the industry. This will be a key focus for ORX in 2025.
Operating models
In a cost-efficient environment, cyber and technology risk operating models was a further topic of interest, with many attendees seeking to understand peer comparisons and best practice. Three lines of defence, roles and responsibilities and resourcing were discussed extensively, with cost constraints being a key concern. Insights included disparity between 2nd line FTE resource, the reporting line of the CISO and the expansion of cyber risk team remits.
Working closely with ORX Cyber subscribers, we are currently completing a study on cyber roles and responsibilities to provide insight.
Looking forward
We were delighted to see many of our subscribers and members coming back to this event for the 2nd time to network with peers and share experiences. The ORX Cyber service continues to grow, with several new subscribers joining in 2024. Our unique service, designed specifically for second line, now also offers benchmarking of cyber event data. In 2025, we will continue to evolve the new benchmarks, hold regular working groups and will be completing research on key themes identified by our subscribers including third party and roles and responsibilities. In addition, we will also be holding in-person cyber forums in North America and Europe.
How you can get involved and find out more
ORX will be holding another cyber forum in 2025. Meanwhile, the ORX Cyber subscribers meet on a regular basis through our Cyber Service Working Group. If you do not currently subscribe to ORX Cyber, you can find out more about the service.
