Cyber risk in financial firms is a key concern – Central Bank Guidance

Yesterday (13 September), the Central Bank issued through its Policy & Risk Directorate, a Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks.  

The Directorate falls under the leadership of Gerry Cross.  A short video about the Central Bank’s thinking on the topic was released in conjunction with the Guidance – see You Tube channel. While its great to see the Central Bank embrace the use of social media, it seems to have a long way to go to have this recognised - at the end of the day on 14 September there had been only 131 views of the video.  That is quite remarkable given that the Central Bank regulates about 10,000 financial service providers and funds in Ireland and protects directly and indirectly a population of 4.8million.  

The Central Bank’s concerns are being driven by the potential impact of inadequate cybersecurity controls on the firms themselves, their customers and the risks for financial stability.

Given that Information technology is now at the heart of the supply of financial services and that the incidence of cyber-attacks and business interruptions is on the increase, the Central Bank is saying that firms should assume that they will be successfully targeted. Its view is that the security and resilience of IT systems, their governance and management must improve to reflect this reality.

Expectations of the Regulator 

The Central Bank expects that:

  • Boards and Senior Management of regulated firms fully recognise their responsibilities for these issues and put them among their top priorities.
  • Firms must robustly address key issues such as alignment of IT and business strategy, outsourcing risk, change management, cybersecurity, incident response, disaster recovery and business continuity. 
  • Firms make sure that they understand these risks and that they are managed effectively. 

The Central Bank's supervisory engagement will reflect the new Guidance when it assess firms.

Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms.  These advancements have resulted in benefits for firms and their customers.  However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”  

The Central Bank is demanding increased effectiveness in this area.  We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."

So what’s in the Guidance?  

Here’s the table of contents:

  • Executive Summary
  • Purpose
  • Background
  • Supervisory Issues Identified To Date.
  • Next Steps.


  • Board of Directors and Senior Management Oversight of IT and Cybersecurity Risks 
  • IT Specific Governance.


  • IT Risk Management Framework 
  • IT Disaster Recovery and Business Continuity Planning 
  • IT Change Management



  • Appendix 1: Glossary 
  • Appendix 2: Key International Guidance for Firms