The Central Bank of Ireland (the “Central Bank”) has published a guidance note in respect of IT and Cybersecurity Risks which highlights the Central Bank’s increased focus on risks in this area. The guidance note highlights that the IT and Cybersecurity Risk management of a firm does not rest solely with its IT department or a service provider and management now need to recognise the importance of these risks (and understand them).
The risks associated with IT and cybersecurity are a key concern for the Central Bank and the guidance note highlights some of the inadequacies it found in IT risk management and cybersecurity across financial services firms following its review of this area during the course of 2015 and 2016. We have summarised some of the inadequate practices identified:
- Alignment between firms’ IT strategy and the overall business strategy is weak. IT capabilities are not matched to the business ambitions.
- Firms are not taking a holistic view of IT risks across the business, resulting in poor identification, monitoring and mitigation of IT risks.
- Shortcomings in IT risk assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
- Older technology supporting key business operations and requiring significant resources and/or investment to manage associated risks.
- Staff are not sufficiently trained on cybersecurity risks.
- Inadequate and untested disaster recovery and business continuity plans.
- Non-existent or inadequate data classification frameworks and policies.
- Ineffective firewall management.
- Deficiencies in governance of IT related outsourcing including a lack of thorough due diligence on prospective service providers, poorly documented/constructed outsourcing agreements and inadequate monitoring of service delivery.
The increasing regulatory focus on cybersecurity is not surprising given that cyber-attacks are one of the most pressing risks for businesses and can result in significant financial and reputational damage. Cyber-attacks have become increasingly common and more sophisticated and businesses need to ensure they have appropriate practices and procedures in place to deal with these. The Central Bank’s guidance coincides with the increased government focus on cyber-attacks. In January, the Government published legislation to tackle cyber-attacks (see here).