On 22 September 2015 the Central Bank of Ireland published an industry letter following its review of the management of operational risks around cybersecurity across investment firms, fund service providers and stockbrokers. The objective of the review was to examine firms’ policies, procedures, oversight, access and testing of systems that firms use in order to detect and prevent cyber security breaches as well as board oversight of such controls.
The letter follows on from the Bank’s Dear CEO letter of July 2015 when it contacted firms directly to remind them of the need to have in place robust operational procedures to assist the firm in detecting and ultimately preventing fraud. Although the Dear CEO communication focused primarily on transfer agency services and potential fraud, it emphasised to fund boards the need for delegate oversight and the importance of specific reporting by delegates at board meetings on the policies and procedures in place to counter cyber attacks. The Bank reiterated that cybercrime is an increasing risk and all firms should, on an on-going basis, review their policies and procedures at all levels to ensure they remain fit for purpose to protect both the firm and their clients.
In its September letter, the Bank noted that in a number of firms, cybersecurity is deemed to be the sole responsibility of the IT department with limited involvement from other business areas or from the board itself. The Bank reiterated that it is the responsibility of each board to ensure that the firm is properly governed and has the necessary processes and procedures to protect the firm and its assets. The board should develop a culture of security and resilience throughout the firm to ensure that it has the necessary plans in place to deal with both internal and external cybersecurity breaches.
The Bank published examples of best practice that firms should consider. The Bank has indicated that it will have regard to these recommendations, when exercising its regulatory and enforcement powers. In addition, to assist boards when carrying out a self-assessment of its cybersecurity capabilities, the Bank published a questionnaire which asks, for example, what a firm presently considers to be its three most serious cyber-security risks, and why; and whether the firm has conducted a risk assessment to identify cybersecurity threats, vulnerabilities, and potential business consequences.
It is very important to note the Bank’s focus on the board’s responsibilities to make sure the firm has the necessary processes and systems in place. Boards should conduct a thorough review of existing cyber security practices and controls and establish whether they are sufficient to satisfy the Bank’s requirements.