Supporting digital risk management - CRO Forum work on digital incident categorisation - OECD Expert Group meeting 12/13 May 2017 - OECD.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
General Public Release Supporting digital risk management - CRO Forum work on digital incident categorisation OECD Expert Group meeting 12/13 May 2017 Nick Kitching, CRO Swiss Re Europe S.A.
General Public Release
CRO Forum cyber risk work
The CRO Forum is currently trialling an updated
version of the proposed categorisation. The trial is
supported by ORX and ORIC.
The trial looks to test the tracking, reporting and
sharing data (on anonymized/aggregated basis)
regarding digital incidents with a view to
understanding whether the categorization
methodology can:
1. enhance information security practices;
2. provide useful aggregate empirical benchmark
data; and
3. support cyber underwriting practices.
Aims
• learn from the challenges and opportunities; and
• identify consistent data identification/collection practices.
Nick Kitching | 13 May 2017 | OECD digital risk management workshop 2General Public Release
Trial categorisation
Step one – incident identified as high or medium on severity matrix thresholds
High Medium
Severity matrix thresholds based on factors such as customers affected, direct financial impact, privacy, legal/regulatory
impact, reputational impact & business interruption (service criticality, duration and service impact)
Step two – categorisation methodology used to describe incident (13 factors)
1-5 6 7 8-13
INCIDENT EVENT TYPE ROOT CAUSE IMPACT/COVER
Leveraging VERIS definitions Identifies what Specifies why the Business impact
Capture: happened cyber event based on RMS/AIR
Incident type (technical impact) Existing op risk occurred schema (22 types)
Action framework Existing op risk Financial impact
Asset framework Date of detection
Affected kind of data Impact location
Actor
IT focused
. Operational risk
. focused . focused
Underwriting
The trial looks at whether the concept built using existing internationally accepted
frameworks for categorisation of incidents/events can provide empirical descriptions
of an IT incident/attack that supports risk management.
Nick Kitching | 13 May 2017 | OECD digital risk management workshop 3General Public Release
Challenges, opportunities and observations
Challenges Opportunities
issues around assessing incident increased communication,
costs, coordination and engagement across
duplication with other internal the key internal stakeholders of each
requirements, Member
application of each Member’s unique applicability to emerging regulatory
severity assessment matrix for rating requirements (e.g., GDPR) and other
incidents, cyber incident frameworks (e.g., STIX);
definitional refinement of data points, embedding operationally
tracking of so-called “near-misses”. leveraging emerging technologies (e.g.,
Existing internal silos end-to-end automated IT Incident
Management tools, etc.)
Aggregated empirical benchmark data
It is too early to draw any firm conclusions from the incidents captured so far
and whether the trial could deliver the full benefits anticipated. However, it is
clear that Members appear to be experiencing good internal dialogue as a
result of applying the trial within their organisations.
Nick Kitching | 13 May 2017 | OECD digital risk management workshop 4 |General Public Release Nick Kitching | 13 May 2017 | OECD digital risk management workshop 5
General Public Release
Legal notice
©2017 Swiss Re. All rights reserved. You are not permitted to create any modifications
or derivative works of this presentation or to use it for commercial or other public purposes
without the prior written permission of Swiss Re.
The information and opinions contained in the presentation are provided as at the date of
the presentation and are subject to change without notice. Although the information used
was taken from reliable sources, Swiss Re does not accept any responsibility for the accuracy
or comprehensiveness of the details given. All liability for the accuracy and completeness
thereof or for any damage or loss resulting from the use of the information contained in this
presentation is expressly excluded. Under no circumstances shall Swiss Re or its Group
companies be liable for any financial or consequential loss relating to this presentation.
Nick Kitching | 13 May 2017 | OECD digital risk management workshop 6You can also read
