Cyber risk in financial firms is a key concern – Central Bank Guidance
Yesterday (13 September), the Central Bank issued through its Policy & Risk Directorate, a Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks.
The Directorate falls under the leadership of Gerry Cross. A short video about the Central Bank’s thinking on the topic was released in conjunction with the Guidance – see You Tube channel. While its great to see the Central Bank embrace the use of social media, it seems to have a long way to go to have this recognised - at the end of the day on 14 September there had been only 131 views of the video. That is quite remarkable given that the Central Bank regulates about 10,000 financial service providers and funds in Ireland and protects directly and indirectly a population of 4.8million.
The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability.
Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality.
Expectations of the Regulator
The Central Bank expects that:
The Central Bank's supervisory engagement will reflect the new Guidance when it assess firms.
Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms. These advancements have resulted in benefits for firms and their customers. However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”
“The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."
So what’s in the Guidance?
Here’s the table of contents:
2. RISK MANAGEMENT
4. OUTSOURCING OF IT SYSTEMS AND SERVICES