Cybersecurity: the Irish case
by Arminda Dervishaj
The Central Bank of Ireland’s (CBI) guidelines and impacts on Industry Players
The awareness of Cybersecurity related risks and the serious threats these risks can imply to the functioning of global financial systems have led the main European regulators to formalize progressively the good practices and conduct guidelines regulated firms should consider and put in place, in order to work effectively in the right way on target markets.
In that sense, the CBI, one of the first European Supervisory regulatories, issued since 2016 the first cross-industry guidelines on the approach of Cybersecurity risks management, to be considered as a leading component at a governance level of the whole organization.
The innovative element that emerges from the work of the CBI does not concern the conditioning of IT management in the field of Cybersecurity (a complex and constantly evolving subject, for which reference is made to specific legislation), but also outlined the responsibility of the Board of Management and Senior Management to consider the risks of Cybersecurity as an integral part of Corporate Governance.
The CBI’s guidelines follow recent inspections of a number of firms and summarises the effect of the problems caused by Cybersecurity to organisations that are subject to its own regulations. Not having a factual framework, as Cybersecurity lives in a constantly evolving situation, the CBI highlights what can be considered the best practices that organisations must adopt within the governance of the organization itself, in the areas of Corporate Governance and Risk Management.
The supervision of the CBI leads to the conclusion that technological innovation, in achieving cost reduction and increasing efficiency, has however greatly amplified the risks of loss, improper removal or unauthorized access of data, with consequences that can not be underestimated, both in the legal and reputational field, and in considering direct damage to customers, also due to the inability to provide a service following an IT attack (Cyber Attack). Due to the seriousness of the possible damages, the CBI suggests considering the risk management in a robust and comprehensive way of all the elements, not only related to the Cybersecurity but also to Business Continuity and Disaster Recovery, to the alignment with the business strategies, to the Change Management and the management of Outsourced Service Providers (OSP) including any intra-group outsourced arrangements.
The inspection work carried out by the CBI over the last few years has highlighted several areas between IT and Risk Management that are lacking in standards and best practices:
- Weak alignment between the IT strategy and the Company’s overall business strategy. The Company’s resources are not sized according to business ambitions
- Lack of a holistic view and strategy by the Company of IT risks on the business, resulting in a lack of identification, monitoring and mitigation of these risks
- Lack of knowledge at the board level of cyber-risks and how to adequately provide oversight of the associated risks throughout their organisations
- Poor practice of IT risk assessment which implies into an outdated risk register and an pro-active identification of ex-post risks when an incident occurs, and not ex-ante, as expected by the Regulator
- Obsolete technology that enables the main operations of the Company with a consequent high commitment of resources, both human and financial, in managing the associated risks
- Absence or inadequacy of a policy on the classification of Company data
- Inadequate verification process on unwanted external access within Company systems (Intrusion Detection Policy)
- Poor governance of outsourcers and IT service providers, and inadequate due diligence that produce poor monitoring consequently
- Inadequate Disaster recovery and Business Continuity plan
The importance of the above topics, and their consequent awareness, were underlined by the CBI also at the Financial Summit held in Dublin from 2 to 4 October, where the deputy director of the CBI, E. Sibley, identified the following points as agenda priorities of bank’s regulatory oversight:
- Control weakness to cyber threats given their increasing frequency and volume
- Inadequate governance of outsourcing arrangements especially where 3rd parties have access to data and how the risks to a cyber-attack may compromise all parties
- Data protection controls, especially across larger companies where they have a patchwork of systems making it harder to protect the data of customers and employees fairly
From the organizational and governmental weaknesses detected through the inspection activity, the CBI identifies the importance of the Board of Directors and Senior Management as the the most effective place in which to address priorities, awareness and understanding of the Cybersecurity related risks.
As the CBI identifies a first framework of actors and responsibilities, to define and manage Cybersecurity related risks, the maintenance and the monitoring of Cybersecurity incidents still remain the whole resposibility of the company, which acts in a regulatory environment without standards and vertical references (as it is in the more mature areas such as tax fraud, anti-money laundering or IT compliance, where the Regulator already has set out clear and verified guidelines). To date, the biggest challenge companies need to face regarding Cybersecurity, is the absence of standards and updated regulations according to the pace and complexity of the topic.