September 2016 - Information Technology And Cybersecurity
September 2016 - The Central Bank of Ireland has issued ‘Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks………’
The large number of well publicised incidents of customer data being accessed through hacking, has made the issue of IT Risk Management and Cybersecurity a very real issue for financial services firms.
The Central Bank of Ireland has published guidance on the subject under the heading “Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks”. The Central Bank’s supervisory oversight of IT and Cybersecurity related risks has, and will continue to be, intensified through its engagements with regulated firms.
In the publication referenced above the Central Bank sets out a summary of their findings to date:
- Alignment between firms’ IT strategy and the overall business strategy is weak. IT capabilities are not matched to the business ambitions.
- Firms are not taking a holistic view of IT risks across the business, which results in poor identification, monitoring and mitigation of IT risks.
- Shortcomings in IT risk assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
- Older technology supporting key business operations and requiring significant resources and/or investment to manage associated risks.
- Non-existent or inadequate data classification frameworks and policies.
- Staff not sufficiently trained on cybersecurity risks.
- Ineffective firewall management/inadequate intrusion detection processes with weak IT security monitoring.
- Deficiencies in governance of IT related outsourcing including a lack of thorough due diligence on prospective service providers, poorly documented/constructed outsourcing agreements and inadequate monitoring of service delivery.
- Inadequate and untested disaster recovery and business continuity plans.
The guidance document is clear that ‘The Board of Directors and Senior Management are responsible for setting and overseeing the firm’s business strategy and risk appetite and should ensure that IT risk is considered in this context.
Boards must satisfy themselves that they have a sufficiently robust IT risk management framework and that they are providing the aqppropriate level of oversight and challenge.