Central Bank of Ireland clarifies expectations of firms in relation to cyber risks
Deputy Governor, Prudential Regulation, Ed Sibley highlights the need for firms to build resilience and to be able to recover from technology-related risks.
Cybersecurity matters remain high on the agenda of financial regulators across the globe. This was highlighted earlier today in a speech delivered by Ed Sibley – Deputy Governor, Prudential Regulation, at the Central Bank of Ireland. Mr Sibley spoke about the need for financial firms to build resilience into their systems to meet the challenges that technological innovation and competition pose.
Mr Sibley reminded that, in 2016, the Central Bank issued the Cross Industry Guidance in respect of IT and Cybersecurity Risks, which outlined the minimum expectations of firms in relation to these risks. He stressed that much more needs to be done to meet these expectations.
“Cyber-security needs to become part of the culture of an organisation and an integral part of the organisation’s risk management, crisis management, and business continuity planning”, Mr Sibley said.
Senior management and boards of financial services firms need to control these critical risks and build resilience in their firms to be able to endure and survive operational or technology-related shocks, be they systems failures, change processes gone wrong, or a data breach.
The Central Bank has seen a lot of progress in the area of IT risk management and resilience, but there is huge amount of work still to be done. Almost three quarters of the central bank’s findings from on-site inspections relate to four key areas: IT risk management, IT security, IT outsourcing, and IT continuity management. Thus, firms can expect to see a continued focus by the Central Bank on these fundamentals and on firms’ resilience capabilities.
Mr Sibley noted that management of financial services providers has to assume responsibility with regard to the adequate tackling of cyber threats. According to him, the overall responsibility for resilience rests with the board and senior management. However, the central bank has found failings of boards and senior management to understand and appreciate the significance of the IT and operational risks their firms face.
“We have seen evidence of risks and messages being diluted as they are filtered up through the organisation such that they are so high-level once they get to senior levels that they lose their meaning or impact”, Mr Sibley said.
Mr Sibley said he expects boards to:
- understand how disruptions of key business services could impact their customers and their value chain;
- ensure operational and cyber resilience strategies are fit for purpose;
- and oversee risk tolerances and appetite metrics to track, measure and trigger a response to disruptive events.
In addition, he expects that boards ensure that their firms have the resilience to withstand future shocks, absorb the impacts of the shock and communicate effectively to stakeholders throughout, and to ultimately recover from the incident and use the learnings to further improve their future resilience.