Skip nav

RiskBusiness releases cyber classification taxonomies

London, 30th January 2017: RiskBusiness, the leading international operational risk solutions firm, today released two new classification taxonomies specific to cyber incidents.

“One of the biggest risks today for any firm irrespective of industry is cyber,” said Mike Finlay, CEO of RiskBusiness. “However, while there is considerable discussion around the topic and even draft regulations in several jurisdictions, there has, until now, not been any classification structure available by which risk intelligence can be extracted from cyber incidents. Management cannot make decisions or authorise investment without a detailed understanding of the threat and how it manifests itself. A cyber incident report that states the firm suffered 87 incidents which cost a total of $150,000 is relatively meaningless. Our two new taxonomy libraries allow the firm to group cyber incidents either by consequence (disruptive incidents, such as Denial of Service attacks, worms or code injections; destructive incidents, such as logic bombs and advanced persistent threats; or reputational incidents, such as pharming) or by method of attack (self-perpetuating incidents, such as a virus; human actor incidents, such as hacking; or computer assisted incidents, such as a multi-stage attack). Now a firm can attribute each cyber incident to the specific incident type and can give management very specific information on frequency, duration and impact”.

For financial services firms operating under either Basel II/III or Solvency 2, the use of classification taxonomies on risks and loss data is nothing new, but according to Finlay, currently available classification structures do not cover cyber incidents. “As firms start to collect cyber data both for internal management purposes and for regulatory reporting and as other players such as insurance companies offering cyber cover or trade associations seeking to benchmark data across their members, these new classification structures will become critical,” says Finlay.

Graeme McGowan, an independent cyber security specialist who is a member of the London Chamber of Commerce & Industry Defence & Security Committee and Cyber Working Group welcomed the new classification structures, stating “This initiative will help industry understand better the cyber threat landscape, which is expansive and growing daily. It will enable horizon scanning and identification of trends and developments in the cyber threat and information security space and critically, accurate reporting of breaches, which can be complex. This will be critical with the General Data Protection Regulation (GDPR) coming into effect in all EU Member States on 25th May 2018. The law applies to every company that collects, processes or stores an EU citizen’s data, regardless of sector, size, or geographical location; compliance is complex and preparation will require an exhaustive process. Compliance obligations are introduced for the first time and significant penalties will exist for non-compliance, including compensation and fines (up to 4% (uncapped)) of group global turnover and National Governments will be permitted to introduce criminal sanctions. GDPR is intended to force Boards and executives to deliver the highest possible privacy and data security services to Data Subjects. It is they who will be held to account in the event of non-compliance or data breach. Decision makers will be expected to have excellent knowledge of data protection law and practice and have sufficient seniority and influence with the Board. Governance tools (policy documents and other records) will be the first-place regulators will turn for evidence of compliance”.

The two new cyber incident type classification libraries are now available to subscribers to the Taxonomy Service within RiskBusiness’ RiskIntelliSet™.

- ENDS –

Contact Information

RiskBusiness:
• Mike Finlay, CEO mike.finlay@riskbusiness.com, +44 7721 969224

Notes to Editors

More information on RiskBusiness can be found at www.riskbusiness.com.

About RiskBusiness

RiskBusiness is an international operational risk, compliance, governance and enterprise-wide risk management solution provider, delivering risk content, risk intelligence, risk tools and risk advisory services to its clients. It is an association of like-minded industry professionals, who have the aim of furthering the risk management discipline to enable better risk-reward decision making.

Risk management is an evolving discipline, which has developed in close partnership with the industry. RiskBusiness has, both as individuals and collectively, a depth of established relationships with leading players and regulators in the operational risk field. We are also active participants in industry working groups and contribute thought leadership through publications and education.

RiskBusiness was founded in 2003 and today has principal consultancy locations in London, Buenos Aries, Amsterdam, Hong Kong, New York, Singapore, Toronto and Zurich. RiskBusiness consists of seasoned industry players who have proven experience in designing, delivering, implementing and maintaining leading risk practices.