CRO Forum Concept Paper on a proposed categorisation methodology for cyber risk. Download the Report

05/07/2016 17:48

The continuing evolution of cyber risk 

The increasing concern around cyber risk continues to dominate discussions in nearly all forums across industries and public sectors. This takes the form of discussions around data protection, network and system security, digital innovation and disruption.


The CRO Forum looked into the issues around cyber resilience in the paper it published in 20141. In this paper, cyber risk was defined as the risk of doing business in the cyber environment. This paper builds on the 2014 paper to focus on how to address the challenges around the collection of data to support improved cyber resilience. 


The definition of cyber risk covers:

  • Any risks emanating from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks.
  • physical damage that can be caused by cyber attacks.
  • fraud committed by misuse of data.
  • any liability arising from data use, storage and transfer, and
  • the availability, integrity and confidentiality of electronic information – be it related to individuals, companies or governments. 


The limited and fragmented data on cyber risk presents a significant challenge for all companies as they try to understand, mitigate and quantify cyber risks. A common language is needed that can help the different specialists communicate on cyber riskrelated incidents in a way that is understood internally, recognised externally and provides information to help understand the risks and lessons to be learned. 


In Europe, a few key events tend to be widely and repeatedly reported and utilised for awareness raising and benchmarking. This is partly due to the high level of sensitivity around cyber-incident reporting and partly due to confidentiality issues that can arise. Any methodology developed to gain more data on cyber incidents and risks needs to acknowledge and address this sensitivity and promote a culture of awareness around which cyber incident can be discussed. 


This paper proposes a methodology for a common cyber risk categorisation. The paper’s goal is to promote a common basis to help capture data on cyber incidents (incidents both leading to losses as well as near misses) and raise awareness and understanding of cyber exposures, accumulation and resilience. 


This methodology has been developed to be compatible with existing cyber incident reporting protocols developed by the IT and Risk Management communities to improve the understanding of cyber risk or to respond to notification demands for threat information from governments. It looks to bring together terminology, reporting practices and expertise from the spheres of IT, Information Security, Risk Management and Underwriting to provide a potential common language for collecting cyber risk data. 

Download the Report