CRO Forum Concept Paper on a proposed categorisation methodology for cyber risk


Return to list

This paper proposes a methodology for a common cyber risk categorisation. The paper’s goal is to promote a common basis to help capture data on cyber incidents (incidents both leading to losses as well as near misses) and raise awareness and understanding of cyber exposures, accumulation and resilience.
This methodology has been developed to be compatible with existing cyber incident reporting protocols developed by the IT and Risk Management communities to improve the understanding of cyber risk or to respond to notification demands for threat information from governments. It looks to bring together terminology, reporting practices and expertise from the spheres of IT, Information Security, Risk Management and Underwriting to provide a potential common language for collecting cyber risk data.
It incorporates the standards for operational risk management reporting used with ORX and ORIC and work and schema being developed to help the emergence of cyber insurance as an effective risk mitigation tool (eg RMS and AIR).
The proposed methodology should provide a common basis for evaluating cyber incidents and enable companies to build up a clear picture of cyber risks, helping them understand their cyber threat environment, from protection to exposure and from mitigation to resilience. It should also be calibrated with a threshold that provides insights on incidents that cause loss and near misses.
On this basis, the use of the standard terms within the methodology should provide information on incidents that can be subsequently analysed from a number of different perspectives. Success will depend on whether this methodology can be made to effectively record and describe cyber incidents in a way that creates a common language through cross-functional cooperation within organisations. As such, it is a proposal for engagement with CRO’s, CUO’s, COO’s, Information Security experts and IT specialists.
The aim of this paper is to stimulate a dialogue on the practicalities of a methodology for common cyber risk categorisation; the possibility of creating a common language around cyber risk; and whether the methodology can support the effective collection of useful data to support enhanced cyber risk management and improved cyber resilience. The methodology is a starting point for discussion and will evolve as we learn from the dialogue and experience.

The CRO Forum

This document is available in format Acrobat. Learn more :

Return to list

Top of page