"The next big financial shock will arise from a succession of cyber-attacks on financial services firms."
This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland's Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.
It is no surprise then that cyber security is rapidly moving up the Central Bank of Ireland's supervisory agenda. Nor is it surprising that it is likely to remain permanently on the CBI's supervisory agenda. This year alone the Central Bank of Ireland (CBI) has taken actions in relation to cyber risks in the funds, insurance and banking sectors. We expect this regulatory cyber security scrutiny to evolve in 2016, particularly in a Solvency II context.
Themed Review within the Funds Sector
In February, a cyber security themed review within the funds industry was announced. The review examined control environments and board oversight in relation to cyber security. Mid-way through its review, the CBI issued a "Dear CEO" communication highlighting the importance of ensuring that only authenticated client requests are actioned and that robust operational procedures, staff training and regular policy reviews are in place. At the end of the themed review last month, the CBI issued a further "Dear CEO" communication with a best practice guide and a cyber security self-assessment questionnaire.
Insurance Sector & Solvency II
The CBI's focus on cyber security is flowing into other financial services' sectors, such as insurance. Earlier this year, cyber security was highlighted by the CBI as one of the significant risks which was not always considered by boards in the context of Forward Looking Assessments of Own Risks (FLORs) submitted as part of the Solvency II preparatory phase. The CBI expects FLORs to describe appropriate mitigants for all material risks even if they are non-quantifiable.
CBI's Cyber Security Best Practice Guide
In the current environment, all businesses within the financial services sectors should be cognizant of the CBI's cyber security best practice guide and self-assessment questionnaire. The following are highlights from the 17 best practice guidelines:
- Board Involvement with Top Down Governance Culture: The guidelines focus on an ethos and culture of effective top down corporate governance which makes cyber security a firm wide issue rather than solely an IT problem. Cyber security should be a standing board agenda item with clear reporting lines into boards. Boards are expected to have a good understanding of the main risks such that they can effectively challenge senior management on the security strategy. Understanding what the critical assets are; how they are shared and potential loss or damage in the event of a breach is key.
- Board Approval of IT Policies, Procedures and Controls: Boards need to sign off on IT policies, procedures and technical controls. These policies, procedures and controls should include incident reporting and response plans with clear reporting lines, recovery and business continuity plans, patch management, and employee access rights. Where there are intra-group IT arrangements, there should be localised versions of the relevant policies.
- Training: Policies are, however, only as good as the people who implement them. Recognising this reality the CBI best practice guide recommends adequate security awareness training for all staff coupled with periodic testing of staff responses to cyber-attacks.
- Chief Information Officer: If a Chief Information Officer is not appointed, a board member (with appropriate training) needs to take responsibility for cyber security.
- Regular assessments & Intrusion Tests: They need to be performed frequently enough to capture changes in new systems, new product offerings or new security threats and at least annually.
- Vendor Risk: Entering into a contract with a vendor will not release regulated entities of their responsibilities. Cyber security due diligence on prospective and existing outsourced service providers will be required. Outsourcing agreements will need to incorporate cyber security and data protection provisions to further mitigate vendor risk.
- Successful Attacks: Firms need to prepare for successful attacks. Resilience should be built through distributed architecture and multiple defence lines.
- Reporting: Reporting of both successful attacks and unsuccessful but substantial attacks is recommended by the CBI. This will require a new level of scrutiny in relation to reporting obligations particularly in the assessment of whether or not an unsuccessful attack meets the substantiality reporting threshold.
- Information Sharing and Best Practices: Up to date industry standards ought to be applied to cyber security risk management frameworks and joining information sharing forums is recommended.
If your business is investigated by the CBI or pursued following a security breach, it will be important to demonstrate that security (both real and cyber) was imbued within the fabric of the business and its staff. The CBI's best practice guide and self-assessment guide provide a useful starting point particularly for those assessing, and putting measures in place to address, cyber risks, particularly those preparing FLORs. The CBI is expected to publish an initial paper on cyber security risk in the coming months and this will be another useful tool as businesses gear up to meet the challenges of cyber security.