Financial service providers (“FSPs”) are heavily reliant on IT systems and they may outsource several functions to third party service providers. However, FSPs’ reliance on IT brings with it increased cyber risk. Data may be accessed by an unauthorised person, lost, stolen or otherwise compromised. As a result, it is unsurprising that cyber risk is a top priority for the Central Bank of Ireland (“CBI”).
CBI Guidance on IT and Cybersecurity
In cross-industry guidance issued in September 2016 (the “Guidance”), the CBI published requirements for boards of FSPs in order to adequately manage their IT risks. These requirements are categorised under five priority areas:
- Risk Management
- Disaster Recovery
- Change Management
Failure to follow the Guidance can result in both supervisory and enforcement decisions against FSPs, such as a Risk Mitigation Procedure or an Administrative Sanctions Procedure.
The Guidance advises FSPs to have an incident management plan in place. The plan should be designed to minimise any potential impact on the consumer or on the FSP’s ability to provide services to customers following an IT incident. This plan should provide for disaster recovery, the resumption of critical business operations and timely customer communications. The requirements correlate with CBI settlement agreements entered into on foot of IT systems breaches involving a failure to properly communicate with customers or to take sufficient steps to mitigate the problem after an incident occurred.
From an enforcement perspective, having an effective IT incident management plan and implementing it could mitigate the seriousness of any breach and, ultimately, result in a lesser fine being imposed on an FSP by the CBI.
Through its on-site inspections of FSPs, the CBI has reported that it has seen a lack of understanding of IT and cyber risks. Consequently, boards and senior management must improve their understanding of these risks. The Guidance notes a mismatch between the operations of FSPs and the sophistication of their IT systems. It outlines the following failures:
- Older technology supporting critical aspects of the business, increasing the potential for error;
- Staff not receiving adequate training;
- Inadequate firewall management;
- Outsourcing failures, in particular failure to carry out sufficient due diligence on service providers and failure to document the outsourcing agreement properly and to monitor service delivery;
- Risk management being reactive rather than proactive, even in FSPs with reasonably good IT practices.
As regards ageing IT systems, FSPs must be capable of explaining why it is appropriate to retain them in their business. They must also be able to demonstrate that they have considered the risks inherent in these systems and whether any additional investment is needed.
The Guidance emphasises that the CBI’s supervisory and inspections approach is shaped by IT industry standards such as the IT Infrastructure Library and Control Objectives for IT. The CBI assesses FSPs’ cybersecurity systems against these industry benchmarks and it is vital that boards are aware of best practice.
On foot of the Guidance, the CBI expects FSPs to take action to properly and adequately develop, implement, maintain and communicate an appropriate IT Risk Management Framework. The Guidance recommends that a senior person in the FSP should have responsibility for the cybersecurity of the business. The IT strategy adopted by FSPs should ensure IT resilience and it should enable them to maintain, anticipate, detect and recover from cyber-attacks. The Guidance indicates that FSPs need to plan their IT budget and resourcing needs accordingly.
The “Wannacry” attack and the CBI’s increasing focus on IT risk highlight the need to have a board-approved approach to IT governance. It must include an IT Risk Management Framework and IT strategy with discrete policies tailored to the business, particularly when relying on a group IT strategy.
These steps must be taken to ensure a good regulatory outcome from any CBI on-site inspection and from any enforcement action taken by the CBI in respect of IT failures.