The Central Bank has recently published new guidance for financial firms on IT risk management and cyber security. The Guidance applies to all regulated firms in Ireland and follows on from a Central Bank letter in September 2015 to investment firms, fund service providers and stock brokers in relation to cybersecurity.
The new guidance published by Central Bank of Ireland (the “Central Bank”) is entitled “Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks” (the “Guidance”).
The Guidance covers four main areas: IT governance by boards and senior management, IT risk management, cyber security and outsourcing.
Focus on IT & cybersecurity risks
IT and cybersecurity risks are a key concern for the Central Bank, given their potential to have serious implications for consumer protection, financial stability and the reputation of the Irish financial system. The Central Bank has stated that cybersecurity is a risk for all financial firms.
The Central Bank has stated that it expects that boards and senior management of regulated firms to place cybersecurity governance, IT security and IT risk management among their top priorities. The Guidance sets out that the IT and cybersecurity risk management of a firm does not rest solely with its IT department or a service provider and management now need to recognise the importance of these risks.
The Guidance highlights some of the inadequacies found by the Central Bank following its review of this area during the course of 2015 and 2016. Some of which include firms not sufficiently training staff on cybersecurity risks and firms not implementing sufficiently robust IT systems and controls.
Examples of good practice
The Guidance also sets out the Central Bank’s current thinking as to good practices that firms should use to inform the development of effective IT and cybersecurity governance and IT risk management frameworks. Accordingly, the Guidance states that firms’ IT risk management must be comprehensive and robust and address key risk areas such as business strategy alignment, outsourcing, change management, cybersecurity, disaster recovery and business continuity.
The Central Bank expects:
- that firms and their management teams understand IT risks as they relate to their own firm and that these are mitigated and managed effectively;
- that firms have a board-approved comprehensive IT strategy that is aligned with the overall business strategy;
- that sufficient resources are allocated to execute the IT strategy;
- that a well-defined comprehensive and effective IT risk management framework is in place; and
- ongoing IT-security risk training for all staff.
While the Guidance is not binding in its own right, it will form part of the overall supervision of regulated firms and the Central Bank has also stated that it intends to increase their supervisory oversight of IT and cybersecurity-related risks in future engagements with firms.
The Guidance is available here.