Course Agenda

Agenda

Day 1 - Wednesday 21th November 

08:30

Registration and refreshments

09:00

Cyber risk in risk management

  • Discuss cyber risk concerns from course participants
  • Regulatory overview and supervisory focus
  • CMORG 
  • Debate over definition
  • How can you develop risk appetite limits for cyber security risk?
  • Should you be aiming for accuracy rather than precision?
  • Challenges of cyber risk in the regulated world

10:30

Morning break

11:00

Creating a sound cyber risk programme

  • A matter of “when” not “if”
  • Know your weaknesses
  • Implement a 3LoD approach
  • Cross functional teams
  • Instilling a culture of security & building cyber into core management processes
  • The importance of governing cyber risks 
  • Stress testing cyber risk

12:30

Lunch

13:30

Qualitative approaches to cyber risk

  • Organisational challenges & governance structure
  • Checklists
  • Operational steps
  • Patch management
  • Crisis management
  • Audits
  • Model risk management of the approaches

15:00

Afternoon break

15:30

Modelling cyber risk

  • Can risk models accurately capture cyber risk? 
  • How to apply stress testing and scenario analysis to cyber risk
  • Should you use the same cyber scenarios annually?
  • Best practice for combining cyber scenarios with macro scenarios
  • Model risk management of the approaches  

17:00

End of day one

Day 2 - Thursday 22nd November

08:30

Refreshments

09:00

Relationship between cyber risk & human behaviour

  • effectiveness of cyber security capabilities (people, process, technology)
  • the fact that 91% of data breaches are down to human behaviour vs. 9% hacking / highly technical attacks
  • the fact that investing in People controls delivers best ROI and most effective risk mitigation
  • exploring People controls – UBA, human sensors, human risk profiling
  • practical steps / techniques for affecting behavioural change and building a risk aware cyber security culture

Speaker: Flavius Plesu, Head of Information Security, Bank of Ireland

10:30

Morning break

11:00

Operational resilience

  • Current focus and regulatory scope; PRA, BoE, FCA
  • What leads to operational incidents?
  • Incident recovery – “impact tolerance”
  • WAR footing (withstand; absorb; recover)
  • Focusing on business services
  • Responsibility from board and senior management
  • Ensuring consistent communication during disruptions
     

12:30

Lunch

13:30

Third party vendor risk 

  • Overview of vendor partnerships and associated risks
  • Selecting a vendor partner
  • Designing the technical and business process interface with the vendor
  • Integrating vendor's risk management procedures and practices
  • Merits of conducting joint incident response exercises
  • Continuous management of the risk profile
  • Risk managing vendor sub-contracting (fourth party risk)

15:30

Monitoring future scope & business resilience

  • Regulatory scope; what is likely to change?
  • Vulnerabilities in IoT and vulnerability assessments
  • Pen testing and ethical hacking
  • Adapting infrastructure and systems to new technology
  • Embracing the digital ecosystem 
  • Institutionalizing resilience 
  • Lessons learnt from other industries
  • The changing threat scope 

17:00

End of Course