In 2016 the Central Bank of Ireland, in its Cross Industry Guidance on IT and Cyber Security Risks stated:
“the Central Bank expects that the Boards and Senior Management of regulated firms recognise their responsibilities in relation to IT and cybersecurity governance and risk management and place these among their top priorities”
Since 2016 the digitisation of the financial services industry has accelerated and is predicted to continue that growth trajectory. The IT perimeter has expanded with on-line, real-time customer journeys for both sales and services and greater use by businesses of cloud technologies delivered by third party providers. At the same time, the bad actors in the cyber world have become ever more plentiful and ever more competent.
This combination of greater use of digital assets on the one hand and more sophisticated attack capabilities from dedicated attackers on the other makes for a very perilous situation.
It is imperative that all involved in the running of a financial services business are aware of the risks, are clear on their individual responsibilities, and are provided with the tools to safeguard the operations of the business. This includes the Board, the Senior Management, the Risk Management specialists, the IT specialists and all staff. This is not a matter for the IT function alone.
It is not reasonable to assume that all of these stakeholders can be expert in the complex world of IT security. This is where a comprehensive IT Governance and Risk Management Framework is so important. Such a framework should be owned by the Board and include:
- a) an IT strategy aligned to the business strategy;
- b) an organisation design capable of implementing the IT strategy;
- c) risk management processes designed to protect the digital assets; and
- d) structures and plans to deal with recovery of critical operations in the event of a significant incident.
I will develop further these elements in further posts.
March 2021To discuss any of your Governance needs call Governance Matters on +353 (0)87 6408750 or email your query to email@example.com