On 13 September 2016, the Central Bank of Ireland (the CBI) published new guidance on IT risk management and cybersecurity for financial service firms. Publication of the Guidance follows the CBI’s previous actions in relation to cyber risks in the funds, insurance and banking sectors (see previous blog here). The CBI acknowledges that IT plays an integral part in the supply of financial services and calls on Boards and Senior Management of regulated firms to recognise the ever increasing incidences of cyber-attacks and business interruptions. It requests such firms to acknowledge their responsibilities in this regard and prioritise IT security. This responsibility involves establishing and maintaining a resilient IT strategy, while ensuring that it aligns with the firm’s general business strategy. It states that a robust oversight and engagement on IT matters at the Board and Senior Management level promotes an IT and security risk aware culture within the firm.

In assessing the quality of Board and Senior Management oversight of IT risks, the CBI has identified the main deficiencies in IT practices; namely inadequate correlation between the firm’s IT strategy and business strategy, insufficiently detailed IT strategies resulting in key elements being omitted and a general lack of information being reported to the Board. Other areas where issues were found included inadequate data classification frameworks, poorly constructed outsourcing agreements, lack of formal change management procedures and untested disaster recovery and business continuity plans. The report emphasised the need for firms to ensure that they understand these flaws in order to manage them efficiently in the future.

The Guidance states that the CBI intends to increase their supervisory oversight of IT and cybersecurity related risks in future engagements with firms. The CBI expects that alongside developing an effective Board approved IT strategy, it is necessary for sufficient resources to be allocated to its execution. This includes an adequate IT budget, staff levels and expertise. A plan should be implemented to identify any resourcing gaps within a firm which would inhibit the achievement of such strategic objectives.

The Director of Policy and Risk, Gerry Cross, explained the situation simply: The Central Bank is demanding increased effectiveness in this area.  We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas“.