On 13 September 2016 the Central Bank of Ireland published Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks. The guidance reflects increased awareness of cybercrime and of the potential implications of information security breaches for regulated firms and their customers. Earlier this year the Department of Justice published the Criminal Justice (Offences Relating to Information Systems) Bill which will replace the current cybercrime law contained in numerous legislative acts. While the aim of this new legislation will be to address the consequences of cybersecurity breaches, the Central Bank’s guidance focuses on prevention.
The guidance emphasises the significance of IT related risks, observes that firms are failing to implement sufficiently robust and resilient systems and controls, and articulates the Central Bank’s expectation that the boards and senior management of regulated firms recognise and prioritise their responsibilities in respect of IT and cybersecurity governance and risk management.
The guidance gives examples of the most common or serious operational, governance and strategic risks faced by regulated firms, which were identified in 2015 and 2016 during the Central Bank’s supervisory work, and outlines its current thinking on good practices. The Central Bank’s guidance aims to heighten regulated firm’s awareness of information technology and cybersecurity risk. Boards and senior management are expected to engage fully in cybersecurity governance and risk management and numerous documents must be prepared and implemented in order to meet the regulator’s expectations.
The guidance underlines the importance of the role of the board of directors and Senior Management of regulated firms in “setting the right ‘tone from the top’”. In that respect, the Central Bank expects the development of Board approved IT strategies, allocation of adequate resources for their implementation, and the creation of effective communication and oversight channels within the firms. Boards and Senior Management must have the expertise necessary to understand and manage IT related risks. Firms are further expected to put in place IT governance structures tailored to the specific business and to regularly review and update policies, standards and procedures. Regulated firms are advised to have clearly defined roles and responsibilities in managing IT risks.
The guidance advises regulated firms to incorporate IT Risk Management (ITRM) frameworks into their overall operational risk management framework. Such ITRM frameworks should be based, if appropriate, on relevant best practices and internationally adopted frameworks for IT risk management. Inventories of IT assets and IT risk assessments are expected to be conducted regularly taking into account the risks arising out of the use of older systems. The Central Bank further requires that adequate management processes and plans for detection, notification and escalation of IT incidents, including notification to the Central Bank, are put into place.
The Central Bank recommends that all regulated firms operate under the assumption that they will suffer a successful cyber-attack or business interruption and should engage in IT disaster recovery and business continuity planning. Firms are expected to have documented Business Impact Analysis, Disaster Recovery Plan, Business Continuity Plan, and Back-Up Strategy for critical data, which should be tested periodically.
Given financial firms’ extended reliance on IT systems, the guidance expects IT change management processes to be in place in order to address operational risks related to the upgrade or development and implementation of software and systems. Any proposed major IT infrastructure changes are expected to undergo a documented prior risk and impact analysis.
The Central Bank recognises that cloud computing, IoT, big data, mobile devices, financial technology and other “technological trends” increase cyber vulnerability. Therefore, regulated firms are expected to create and implement a thorough and documented strategy, approved and reviewed by boards. Cybersecurity policies must be documented in order to be monitored and enforced by relevant staff, whose roles and responsibilities must be clearly defined and communicated. Firms are further expected to develop and implement security awareness training programmes.
Cyber risk assessments are expected to be performed regularly and safeguards put into place to prevent cybersecurity incidents and successful cyber-attacks. Data security safeguards must be proportionate to the value and importance of data. Controls over access to IT systems are expected to be equally strong regardless of whether data is accessed from outside or inside the firm. Monitoring systems must be implemented in order to detect security events and incidents.
Financial firms are expected to have a documented cybersecurity incident response plan and a documented recovery plan.
The guidance notes that outsourcing of IT services such as cloud services, website hosting and system development may increase the levels of risk to IT systems. Regulated firms are reminded that regardless of outsourcing, they remain responsible for the effective management of such risks. They are therefore expected to put in place a framework for ongoing management, operational oversight, risk management and regular review of their outsourcing service providers (“OSP”). Prospective OSPs should be subjected to thorough due diligence and contracts between financial firms and OSPs are expected to include a documented service-level agreement or equivalent. Further, intra-group IT outsourcing arrangements and arrangements with external OSPs are expected to receive equal levels of oversight. Contracts as well as the outsourcing policy are expected to guarantee that the supervision of the firm by the Central Bank will not be impeded.
The guidance is important for regulated firms as it will inform the Central Bank’s opinion on the quality of IT related governance and risk management, and, subsequently, its supervisory decisions on risk mitigation programmes. The Central Bank advises firms to take the guidance into consideration when developing their IT related governance and risk management frameworks.