Cybersecurity: the Irish case

by Arminda Dervishaj

Cybersecuryty Irish case

The Central Bank of Ireland’s (CBI) guidelines and impacts on Industry Players

The awareness of Cybersecurity related risks and the serious threats these risks can imply to the functioning of global financial systems have led the main European regulators to formalize progressively the good practices and conduct guidelines regulated firms should consider and put in place, in order to work effectively in the right way on target markets.

In that sense, the CBI, one of the first European Supervisory regulatories, issued since 2016 the first cross-industry guidelines on the approach of Cybersecurity risks management, to be considered as a leading component at a governance level of the whole organization.

The innovative element that emerges from the work of the CBI does not concern the conditioning of IT management in the field of Cybersecurity (a complex and constantly evolving subject, for which reference is made to specific legislation), but also outlined the responsibility of the Board of Management and Senior Management to consider the risks of Cybersecurity as an integral part of Corporate Governance.

The CBI’s guidelines follow recent inspections of a number of firms and summarises the effect of the problems caused by Cybersecurity to organisations that are subject to its own regulations. Not having a factual framework, as Cybersecurity lives in a constantly evolving situation, the CBI highlights what can be considered the best practices that organisations must adopt within the governance of the organization itself, in the areas of Corporate Governance and Risk Management.

The supervision of the CBI leads to the conclusion that technological innovation, in achieving cost reduction and increasing efficiency, has however greatly amplified the risks of loss, improper removal or unauthorized access of data, with consequences that can not be underestimated, both in the legal and reputational field, and in considering direct damage to customers, also due to the inability to provide a service following an IT attack (Cyber ​​Attack). Due to the seriousness of the possible damages, the CBI suggests considering the risk management in a robust and comprehensive way of all the elements, not only related to the Cybersecurity but also to Business Continuity and Disaster Recovery, to the alignment with the business strategies, to the Change Management and the management of Outsourced Service Providers (OSP) including any intra-group outsourced arrangements.

The inspection work carried out by the CBI over the last few years has highlighted several areas between IT and Risk Management that are lacking in standards and best practices:

  • Weak alignment between the IT strategy and the Company’s overall business strategy. The Company’s resources are not sized according to business ambitions
  • Lack of a holistic view and strategy by the Company of IT risks on the business, resulting in a lack of identification, monitoring and mitigation of these risks
  • Lack of knowledge at the board level of cyber-risks and how to adequately provide oversight of the associated risks throughout their organisations
  • Poor practice of IT risk assessment which implies into an outdated risk register and an pro-active identification of ex-post risks when an incident occurs, and not ex-ante, as expected by the Regulator
  • Obsolete technology that enables the main operations of the Company with a consequent high commitment of resources, both human and financial, in managing the associated risks
  • Absence or inadequacy of a policy on the classification of Company data
  • Inadequate verification process on unwanted external access within Company systems (Intrusion Detection Policy)
  • Poor governance of outsourcers and IT service providers, and inadequate due diligence that produce poor monitoring consequently
  • Inadequate Disaster recovery and Business Continuity plan

 

The importance of the above topics, and their consequent awareness, were underlined by the CBI also at the Financial Summit held in Dublin from 2 to 4 October, where the deputy director of the CBI, E. Sibley, identified the following points as agenda priorities of bank’s regulatory oversight:

  • Control weakness to cyber threats given their increasing frequency and volume
  • Inadequate governance of outsourcing arrangements especially where 3rd parties have access to data and how the risks to a cyber-attack may compromise all parties
  • Data protection controls, especially across larger companies where they have a patchwork of systems making it harder to protect the data of customers and employees fairly

From the organizational and governmental weaknesses detected through the inspection activity, the CBI identifies the importance of the Board of Directors and Senior Management as the the most effective place in which to address priorities, awareness and understanding of the Cybersecurity related risks.

As the CBI identifies a first framework of actors and responsibilities, to define and manage Cybersecurity related risks, the maintenance and the monitoring of Cybersecurity incidents still remain the whole resposibility of the company, which acts in a regulatory environment without standards and vertical references (as it is in the more mature areas such as tax fraud, anti-money laundering or IT compliance, where the Regulator already has set out clear and verified guidelines). To date, the biggest challenge companies need to face regarding Cybersecurity, is the absence of standards and updated regulations according to the pace and complexity of the topic.

Business Needs and Technological Paradigms

New business needs and technological paradigms: supporting the organisational Change of the IT department

As part of a renewal strategy of the operating model, the company decided to redefine the organizational structure of the Information Technology (IT) Department.
Max Renzulli parva consulting

Max Renzulli joins Parva Consulting as Partner

Max Renzulli joins Parva Consulting as Partner. Strengthening Consulting expertise in Asset Management, Custody and Fund Services
parva christmas 2021

Wishing you all the best for 2022

We remember this Christmas those who are less fortunate than us. We support causes who are trying to address these challenges in our local communities.
regulatory IORP II Directive

What regulatory changes can we expect from the IORP II Directive?

The EU’s reform of occupational pension legislation has come in the shape of IORP II to raise the bar on governance and communication standards for occupational pension schemes.

© Copyright - Parva Consulting - designed and optimized by Luke Calber