RiskBusiness, the leading international operational risk solutions firm, today released two new classification taxonomies specific to cyber incidents.
“One of the biggest risks today for any firm irrespective of industry is cyber,” said Mike Finlay, CEO of RiskBusiness. “However, while there is considerable discussion around the topic and even draft regulations in several jurisdictions, there has, until now, not been any classification structure available by which risk intelligence can be extracted from cyber incidents. Management cannot make decisions or authorise investment without a detailed understanding of the threat and how it manifests itself. A cyber incident report that states the firm suffered 87 incidents which cost a total of $150,000 is relatively meaningless. Our two new taxonomy libraries allow the firm to group cyber incidents either by consequence (disruptive incidents, such as Denial of Service attacks, worms or code injections; destructive incidents, such as logic bombs and advanced persistent threats; or reputational incidents, such as pharming) or by method of attack (self-perpetuating incidents, such as a virus; human actor incidents, such as hacking; or computer assisted incidents, such as a multistage attack). Now a firm can attribute each cyber incident to the specific incident type and can give management very specific information on frequency, duration and impact”.
For financial services firms operating under either Basel II/III or Solvency 2, the use of classification taxonomies on risks and loss data is nothing new, but according to Finlay, currently available classification structures do not cover cyber incidents. “As firms start to collect cyber data both for internal management purposes and for regulatory reporting and as other players such as insurance companies offering cyber cover or trade associations seeking to benchmark data across their members, these new classification structures will become critical,” says Finlay.
Graeme McGowan, an independent cyber security specialist who is a member of the London Chamber of Commerce & Industry Defence & Security Committee and Cyber Working Group welcomed the new classification structures, stating “This initiative will help industry understand better the cyber threat landscape, which is expansive and growing daily. It will enable horizon scanning and identification of trends and developments in the cyber threat and information security space and critically, accurate reporting of breaches, which can be complex. This will be critical with the General Data Protection Regulation (GDPR) coming into effect in all EU Member States on 25th May 2018. The law applies to every company that collects, processes or stores an EU citizen’s data, regardless of sector, size, or geographical location; compliance is complex and preparation will require an exhaustive process. Compliance obligations are introduced for the first time and significant penalties will exist for non-compliance, including compensation and fines (up to 4% (uncapped)) of group global turnover and National Governments will be permitted to introduce criminal sanctions. GDPR is intended to force Boards and executives to deliver the highest possible privacy and data security services to Data Subjects. It is they who will be held to account in the event of non-compliance or data breach. Decision makers will be expected to have excellent knowledge of data protection law and practice and have sufficient seniority and influence with the Board. Governance tools (policy documents and other records) will be the first-place regulators will turn for evidence of compliance”.
The two new cyber incident type classification libraries are now available to subscribers to the Taxonomy Service within RiskBusiness’ RiskIntelliSet™.