Cyber security continues to be a key concern for the Central Bank of Ireland (the "CBI") and Maples and Calder has in a previous update highlighted some of the issues for the funds industry. As part of its ongoing supervisory work (carried out since 2015) the CBI issued detailed new guidance on IT and cyber security risks in September 2016 (the "Guidance"). It incorporates the CBI's key findings and sets out over 50 recommendations regarding IT risk management and cyber security arrangements for financial services firms regulated by it ("Firms").
In September 2015, the CBI published its findings and best practice arising out of its Thematic Review – Cyber Security and Operational Risk, which it carried out across regulated Firms highlighting the need for proper control environments (including policies and procedures), risk management and board governance. The Guidance has now expanded and built on such previous regulatory advices.
The Guidance re-emphasises the importance of cyber security, noting that the CBI “is demanding increased effectiveness in this area. [The CBI is] undertaking considerable work to require improved IT risk management and cyber resilience across regulated Firms. This includes enhanced supervisory capabilities and increased focus on these risk areas." Cyber security should be among the top priorities for boards and senior management of regulated Firms.
The Guidance focuses on four areas: Governance; Risk Management; Cyber Security and Outsourcing. It highlights deficiencies/inadequate practices the CBI has encountered and sets out its expectations on good practices which regulated Firms should use in developing their policies and risk management frameworks in these areas.
The Guidance confirms that supervisory oversight of IT and cyber security will continue to be a primary focus for the CBI. IT and cyber risk management should be embedded in each Firm's business from the highest levels down and feature on each board's agenda on an ongoing basis.
Regarding cyber security specifically, the CBI expects that Firms should have dedicated documented policies and procedures in relation to cyber risk management which are subject to board approval and regular assessment and which clearly set out roles, responsibilities and training requirements.
Cyber risk management should address at a minimum:
(a) the identification of threats, vulnerabilities and risks and quantification of exposure specific to the Firm;
(b) the prevention and detection of security events and incidents, including reducing likelihood of occurrence and potential impact when it does;
(c) security incident handling; and
(d) recovery planning for stabilisation and continuity of operations in the immediate aftermath of a security incident.
A Firm should have robust safeguards in place (such as strong authentication/access controls, encryption, intrusion prevention and malware prevention).
The CBI expects a Firm to:
- Notify the CBI when it becomes aware of a cyber security/IT incident which adversely impacts that Firm's ability to provide services, its customers, reputation or financial condition.
- Have regard to the relevant industry best practice and international technical standards, particularly as the Guidance states such standards will inform and shape the CBI's supervisory and inspections approach to IT risk management.
Cyber security is an increasing commercial threat and remains high on the agenda for regulators. It is therefore crucial that robust systems and controls are put in place.
In an Irish investment funds context, the applicability of some of the measures in the Guidance will need to be assessed based on the relevant fund's operational structure and the extent to which it outsources various functions.
Fund boards should ensure that they manage the cyber security threat at an internal and external third party level and should consider the following measures in light of the Guidance:
- Have a cyber security policy in place that is monitored on an on-going basis and updated accordingly;
- Ensure IT risk/cyber security is a standing agenda point for each board meeting;
- Reassess the content of ongoing reporting from service providers, and consider escalation of incidents during reporting periods;
- Evaluate each service providers' systems and procedures regularly (at least annually); and
- Review offering documents to consider if new/additional risk factor disclosure is warranted.
In October 2016, the G7 also issued guidance, the "G7 Fundamental Elements of Cybersecurity for the Financial Sector". In this guidance, the G7 has set out "non-binding, high-level fundamental elements … designed for financial sector private and public entities to tailor to their specific operational and threat landscape, role in the sector, and legal and regulatory requirements". The European Commission actively contributed to developing these fundamental elements, and has welcomed their endorsement by the G7, noting they "represent a positive step towards a co-ordinated cyber security approach within the financial sector".