Steve: Welcome to the latest episode of the ORX Operational Risk podcast. I'm Steve Bishop and I'm Director of Research and Information at ORX. Today, I'm pleased to be joined by my colleagues Helen L’Abbate, she's the Head of Services, Melanie Lavelle, who's our Senior Advisor within my team.
Helen: Hi, Steve.
Melanie: Hi, Steve.
Steve: In this episode, will be discussing our latest publication from ORX Cyber, which is a thought leadership article on the priorities for cyber risk management. To support our cyber subscribers in the wider industry. We embarked on a study with the aim of gathering views on how the discipline needs to evolve strategically and the challenges it expects to face over the coming years. Melanie, do you want to sort of give us an overview of the approach that we took to this?
Melanie: Yeah, of course. Thanks Steve. Firstly, just to say a really big thank you to all our participants. We are extremely privileged to draw on the expertise of both our cyber subscribers and the wider ORX members. I'm very grateful for the time they gave us. We interviewed more than 30 senior cyber risk leaders across our cyber community and the wider ORX Membership, including roles across first and second line such as Chief Information Security Officers, Directors of Information Technology, and Global Heads of Information Security, and Cyber.
During the interview, we asked them a series of questions exploring their priorities and those for the industry as a whole for the next 12 to 18 months. Interestingly, we began thinking we would be looking ahead on a longer time frame of three to five years, but it very quickly became clear, given the volatile nature of cyber, this would have to be a much tighter time frame, with 12 to 18 months. During the interview, we identified eight key priorities for the industry and a clear need to work together to drive these forward. And we'll share a bit more on these later.
Steve: Okay, great. Thanks, Melanie. I definitely think with this, this piece of work, from my perspective, it was great to gather such a broad set of inputs from senior leaders in both the first and second line is very pleasing. And that was really the main thing that led to the result. Turning to Helen, what was the sort of general consensus about cyber and the factors impacting the current risk environment?
Helen: Yeah. Thanks, Steve. So, without a doubt, cyber risk continues to be a material concern for financial services organisations. And we see it in our top risk reports. And our participants confirmed it's regularly, discussed at board level with a continuous spotlight on this risk type. And over the last ten years, firms have been maturing their cyber risk management processes. Meanwhile, a number of factors have meant cyber risk is increasing. So, for example, the acceleration of digital transformation, a new era of geopolitical threats that constant innovation by cyber criminals and a number of global factors generally influencing that risk. So, geopolitical tensions, the real threat of cyber warfare instigated by both state and non-state actors, like what we saw in the war in Ukraine, have highlighted how these tensions can quickly and significantly influence risk exposure.
A change in customer expectations and behaviours has been noted over recent years. And what I mean by that is the demand for seamless availability of financial services around the clock and when it's not available, that real threat of serious reputational impact, a greater reliance on technology and third party partners as the financial service ecosystem opens. And the drive for digitalisation and automation continues, and the risk of digitalisation increases. The cyber attack service, which, together with legacy systems, creates vulnerabilities and worsening global economic conditions, can also drive that societal vulnerabilities, leading to an increase in cyber related fraud.
Steve: Great. Thanks, Helen and Melanie. Do we have anything else or any other common factors that participants thought were influencing cyber risk management at the moment? Yes, absolutely. So, alongside the factors, Helen's mentioned, participants really called out two overarching industry factors that they believe are increasingly influential in the ability to improve cyber risk management.
So, the first being people, skills, and knowledge. The majority of participants really acknowledge the challenge in attracting the right technical expertise required both from cyber security perspective and managing risk. The cyber risk management teams need to be fast and dynamic actively providing timely expertise on both business as usual and emerging risks. Today, the right balance of data analysis, resilience, communication, and influencing skills is already required, but likely this will continue to grow and expand over time.
Melanie: In particular, risk needs the skills to communicate effectively to the business so the business truly understands the risks it owns. Articulating those risks in business language is key. And ultimately, we need to change the look in the field of cyber risk professionals of the future. It's paramount that the industry prepares for the future with a proactive people strategy. And then the second thing that was called out very much by all participants was the three lines of defence.
Melanie: And what is the optimum operating model. And again, they talked about keeping a simple language that everybody understands and being able to report in a way that the audience fully understands the risks. So there was generally a lack of consensus on what cyber risk management accountability looks like. And in particular, in the first line, where should the CISO role sit? We had varying opinions on that. We also heard from participants that consideration is needed on how cyber risk gets reported, given the real interconnectivity of the risk and the environment it exists. The challenges that come with multi-dimensional reporting requirements such as your different audiences and purposes. Local reporting versus enterprise reporting, etc.. And what also came across strongly is the need for a common language that can help boards, regulators, and the whole organisation truly embed the understanding of cyber risk and the actions that need to be taken to protect an organisation.
Steve: Thanks, Melanie. We'll very shortly come onto the sort of conclusions of the report and the eight priorities that Melanie mentioned. But before we do that, Helen, is there anything else or any other sort of overarching points you'd like to mention?
Helen: Yes, there was actually there was real consensus across the globe with the points we've just outlined and further unanimity with one other point, which was the industry will only make progress if we work together. And interestingly, there was an article just in the last week in the Financial Times which called out the very same point. And it references the IMF have warned that cyber attacks could create serious financial stability risks and noted the probability of a firm experiencing an extreme loss of $2.5 billion as a result of a cyber incident had now risen to about once every ten years, and that companies are becoming more aware of this highlighted risk. So, given the pace of change and the fact, as we've just heard, the industry leaders we spoke to felt in order to really get ahead of cyber risk, we all have to find ways in which we can work together as an industry.
Steve: Okay. Thank you very much. So, turning to the report conclusions, which I'm sure is the main reason most people were listening. And so from what we heard in the interviews, I think what I understand is we've been able to identify eight common priorities. And these really are the areas in the industry where they're looking to sort of focus, to enhance the management of cyber risk. And I think what was, I guess, very pleasing from the interviews, from what I understand, is that we were able to really hear some really common strands that led to these eight priorities being identified. It'd be good to get you both to talk us through these and give us a little bit of detail about each one. Who wants to go first?
Melanie: I'll start. Steve. Thank you. So, in brief, the first priority that I'll talk about is a need to move to a data driven cyber risk management environment. So, there was a lot of discussion around gaining the right data and metrics to really be able to develop and achieve that data centric risk management environment, the need to both internal and external data to drive to correct decisions, inform those decisions, and importantly, the actions to be taken.
Many called out the challenges of still working to identify the right data to achieve this, but it was really clear that a lot of progress is being made in this area. Secondly, the participants talked about the scale and use of technology to support business transformation. So, not surprisingly, a new technology is being used by most firms in their business transformation agendas. But the rest leaders that we spoke to are also looking to deploy new technology to really help enhance their risk management activities and again, importantly, keep up with the pace of change that the business is driving. Thirdly, the leaders talked about having the ability to identify gaps and blind spots to gain that full visibility of the end-to-end risk exposure.
So, as I said earlier, looking at that interconnectivity and where cyber sits across the whole enterprise. So, there's a real need to provide a group or enterprise level that end-to-end view of the risk exposure and to be able to articulate it in a language the business understands. It's a real priority. So, gaining the visibility of those gaps and blind spots will give a huge benefit to the organisations in being able to manage the full exposure to cyber risk.
And the last point I'll mention before I hand over to Helen is management of third party resilience and the complexity of those third parties and “nth” parties. We've heard this time and time again in many ORX discussions, but the cyber it's an increasing priority. Organisation are increasing their use of third parties and their reliance on third parties to supply technology. And the expertise means that the ecosystem of the organisation is changing. It's much more porous across the organisation, and therefore those supply chains are becoming ever more complex. So organisations are really needing to better understand, map and mitigate the vulnerabilities that come with this, which also leads to the point before about understanding those blind spots that Helen I’ll hand it over to you to do the next few.
Helen: Thanks, Melanie. So number five was, the advanced techniques and best practice for cyber risk measurement. And the challenge of measuring cyber risk is linked to all the previous four priorities that Melanie just mentioned. And there isn't general consensus on which is the most effective way to quantify cyber risk. And many believe it is in the best interests of the industry to share progress on quantification for the benefit of all.
The next priority was automate cyber control management and workstreams to build new cyber control libraries, identify key controls, and to fully understand where and how these key controls are operated within the business are all making good progress, but there is more to do. Progress is also being made in using technology to automate controls. Their assessment and monitoring. Next was enhance and embed of cyber resilience mindset across the organisation. Cyber is a key consideration in any organisations resiliency, but embedding it will require a shift in thinking to an end to end, resilient, aware mindset. And what we mean by that is the similar shift we have seen in the past with enterprise risk and the mantra that everyone is a risk manager mentality.
So the same can be said about cyber and there needs to be a move away from the perception of it is someone else's job who is maybe techie. And this is important for the culture of the whole organisation, not just the technology or security teams. And lastly, it was share and establish a common understanding of threats with regulators and build on an existing relationship with regulators and share an established common understanding of cyber risk landscape and threats for the greater good of the industry and financial system all around.
Steve: Great, thank you very much both. Those were a very nice summary. So, what's the next steps with the paper.
Helen: So, we'll be taking forward some of the topics within the cyber service itself. We have a study on cyber quantification currently in progress. And we're also going to be covering some of the topics at our exclusive in-person event open to cyber subscribers and ORX members. And we're holding two forums this year, our European Forum on the 19th of June in London, and our North America Forum on the 19th of September in New York. All the details for registering for these events can be found on our website. And please be quick as we only have limited places available.
Steve: Okay, great. Well, I think that's just about us done today. So, I wanted to say thank you very much to Helen and Melanie for providing the overview of the thought leadership paper. And I think, most importantly, thank you to you all for listening to the latest edition of the podcast. All sources used in this episode will be added to the show, notes. The ORX Cyber thought leadership paper is available to anyone. So that's members and non-members and it's available to download on our website too. That's orx.org. And the team would also be very happy to take you through the findings. So, if you are interested in understanding more about the findings, understanding more of the conversations that we held with the participants across the industry, get in touch and we'd be very happy to do that. And with that I'll sign off. Thank you very much to everybody.
