Yesterday (13 September), the Central Bank issued through its Policy & Risk Directorate, a Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks.
The Directorate falls under the leadership of Gerry Cross. A short video about the Central Bank’s thinking on the topic was released in conjunction with the Guidance – see You Tube channel. While its great to see the Central Bank embrace the use of social media, it seems to have a long way to go to have this recognised - at the end of the day on 14 September there had been only 131 views of the video. That is quite remarkable given that the Central Bank regulates about 10,000 financial service providers and funds in Ireland and protects directly and indirectly a population of 4.8million.
The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability.
Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality.
Summary of Central Bank inspection findings:
Expectations of the Regulator
The Central Bank expects that:
The Central Bank's supervisory engagement will reflect the new Guidance when it assess firms.
Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms. These advancements have resulted in benefits for firms and their customers. However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”
“The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."
So what’s in the Guidance?
Here’s the table of contents:
1. GOVERNANCE
3. CYBERSECURITY
4. OUTSOURCING OF IT SYSTEMS AND SERVICES
If you need to know more or wish to discuss, please contact Peter Oakes at [email protected] / +353872731434. Peter Oakes is a board director of regulated firms which too must implement this Guidance, he is a former Director of Enforcement at the Central Bank and works across cross-industry in financial services in London and Dublin.
The Directorate falls under the leadership of Gerry Cross. A short video about the Central Bank’s thinking on the topic was released in conjunction with the Guidance – see You Tube channel. While its great to see the Central Bank embrace the use of social media, it seems to have a long way to go to have this recognised - at the end of the day on 14 September there had been only 131 views of the video. That is quite remarkable given that the Central Bank regulates about 10,000 financial service providers and funds in Ireland and protects directly and indirectly a population of 4.8million.
The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability.
Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality.
Summary of Central Bank inspection findings:
- Alignment between firms’ IT strategy and the overall business strategy is weak. IT capabilities are not matched to the business ambitions.
- Firms are not taking a holistic view of IT risks across the business, which results in poor identification, monitoring and mitigation of IT risks.
- Shortcomings in IT risk assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
- Older technology supporting key business operations and requiring significant resources and/or investment to manage associated risks.
- Non-existent or inadequate data classification frameworks and policies.
- Staff not sufficiently trained on cybersecurity risks.
- Ineffective firewall management/inadequate intrusion detection processes with weak IT security monitoring.
- Deficiencies in governance of IT related outsourcing including a lack of thorough due diligence on prospective service providers, poorly documented/constructed outsourcing agreements and inadequate monitoring of service delivery.
- Inadequate and untested disaster recovery and business continuity plans.
Expectations of the Regulator
The Central Bank expects that:
- Boards and Senior Management of regulated firms fully recognise their responsibilities for these issues and put them among their top priorities.
- Firms must robustly address key issues such as alignment of IT and business strategy, outsourcing risk, change management, cybersecurity, incident response, disaster recovery and business continuity.
- Firms make sure that they understand these risks and that they are managed effectively.
The Central Bank's supervisory engagement will reflect the new Guidance when it assess firms.
Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms. These advancements have resulted in benefits for firms and their customers. However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”
“The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."
So what’s in the Guidance?
Here’s the table of contents:
- Executive Summary
- Purpose
- Background
- Supervisory Issues Identified To Date.
- Next Steps.
1. GOVERNANCE
- Board of Directors and Senior Management Oversight of IT and Cybersecurity Risks
- IT Specific Governance.
- IT Risk Management Framework
- IT Disaster Recovery and Business Continuity Planning
- IT Change Management
3. CYBERSECURITY
4. OUTSOURCING OF IT SYSTEMS AND SERVICES
- Appendix 1: Glossary
- Appendix 2: Key International Guidance for Firms
If you need to know more or wish to discuss, please contact Peter Oakes at [email protected] / +353872731434. Peter Oakes is a board director of regulated firms which too must implement this Guidance, he is a former Director of Enforcement at the Central Bank and works across cross-industry in financial services in London and Dublin.