The risks associated with information technology (“IT”) and cybersecurity are a key concern for the Central Bank given the potential serious implications for financial stability, consumer protection, prudential soundness and the reputation of the Irish financial system.
In particular, financial services firms (“Regulated Firms”) are becoming increasingly exposed to the risk of cyber-attacks. In recent periods the Central Bank has sharpened its focus in relation to IT related risk. Over the course of 2015 and 2016, the Central Bank conducted a number of inspections to assess IT and cybersecurity related operational, governance and strategic risks in Regulated Firms.
Following the conclusion of this supervisory work, the Central Bank has recently published guidance which sets out the Central Bank’s current thinking as to good practices that Regulated Firms should use to inform the development of effective IT and cybersecurity governance and risk management frameworks (“Guidance”).
In addition the Guidance also highlights a number of areas where IT and cybersecurity governance and risk management has fallen short of the expected standards. The findings are representative of those identified across all Regulated Firms reviewed:-
- Alignment between Regulated Firms’ IT strategy and the overall business strategy is weak. IT capabilities are not matched to the business ambitions.
- Regulated Firms are not taking a holistic view of IT risks across the business, which results in poor identification, monitoring and mitigation of IT risks.
- Shortcomings in IT risk assessment and identification, with many Regulated Firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
- Older technology supporting key business operations and requiring significant resources and/ or investment to manage associated risks.
- Non- existent or inadequate data classification frameworks and policies.
- Staff not sufficiently trained on cybersecurity risks.
- Ineffective firewall management/inadequate intrusion detection processes with weak IT security monitoring.
- Deficiencies in governance of IT related outsourcing including lack of thorough due diligence on prospective service providers, poorly documented/ constructed outsourcing agreements and inadequate monitoring of service delivery.
- Inadequate and untested disaster recovery and business continuity plans.
The Guidance states that Regulated Firms must take robust and comprehensive measures when addressing key risk areas such as business strategy alignment, outsourcing, change management, cybersecurity, disaster recovery and business continuity.
The Central Bank expects Boards and Senior Management of Regulated Firms to fully recognise their responsibilities for these issues and place them among their top priorities.
Director of Policy & Risk at the Central Bank, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms. These advancements have resulted in benefits for firms and their customers. However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”
“The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas.”
The Central Bank’s Paper; “Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks”, September 2016 can be found here.