As previously highlighted in an industry speech, the Central Bank of Ireland (the "Central Bank") has recently completed a thematic inspection on cybersecurity risk in the asset management sector. On 10 March 2020, the Central Bank issued an industry letter outlining key findings identified during the inspection process (the "Letter").
The Central Bank inspected four asset management firms with varying business models to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms, and also to identify good practices and common issues in order to raise industry standards.
The Central Bank comments in the Letter that many of the weaknesses highlighted in the Central Bank’s 2016 Cybersecurity Guidance are still prevalent. It also comments that it is the responsibility of boards and senior management to ensure that cybersecurity is embedded in their firms and indicates that this should be achieved through a mixture of awareness, building and enhancing resilience capabilities, and displaying adequate governance and oversight of the firms’ cybersecurity risk profiles.
The Letter sets out a range of key findings and, in each case, a summary of the measures in the relevant area that the Central Bank expects firms to take.
Among the key findings is a statement that a firm's senior management "should ensure that there is a well-defined and comprehensive IT and cybersecurity risk management framework in place that provides effective oversight of IT related risks and gives assurance to the Board regarding the management of these risks within the firm."
There is also a comment that firms "must give more consideration and support to identifying and managing the different threats they are exposed to, whilst recognising that the inherent risks of IT are continuously increasing."
The Letter is required to be brought to the attention of all board members and senior management before 30 April 2020.