Central Bank warns financial firms over cybersecurity risks

The Central Bank of Ireland has warned that regulated financial firms here are not implementing "sufficiently robust" IT systems and controls and must increase their resilience to technology failures to "minimise the potential impact on their business, reputations and the wider financial system".

In guidance published on Tuesday on IT and cyber security risks, the Central Bank said regulated firms should assume that they will be the subject of a “successful cyber-attack or business interruption”.

The regulator found that alignment between firms’ IT strategy and the overall business strategy was weak. “IT capabilities are not matched to the business ambitions,” it said.

The bank said firms were not taking a rounded view of IT risks across the business, which results in “poor identification, monitoring and mitigation of IT risks”.

‘Widespread weaknesses’

Gerry Cross, the Central Bank's director of policy and risk, told The Irish Times that the bank found "widespread weaknesses" during its inspections, which ranged from small brokers up to the large banks.

Mr Cross declined to comment on specific cases but said there was one instance of impersonation that involved the “extraction of funds”. He said consumers should be “alert” to potential cyber attacks and “take appropriate precautions”.

The regulator identified shortcomings in risk assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.

It also found instances were older technology was supporting key business operations and required “significant resources and/or investment to manage associated risks”.

Other findings included non-existent or inadequate data classification frameworks and policies, staff not sufficiently trained on cybersecurity risks, and ineffective firewall management with weak IT security monitoring.

Deficiencies in governance of IT-related outsourcing included a lack of thorough due diligence on prospective service providers, “poorly documented/constructed outsourcing agreements and inadequate monitoring of service delivery”.

Plans

The regulator also found inadequate and untested disaster recovery and business continuity plans.

The Central Bank said there needs to be greater oversight by boards and senior management within firms.

It wants firms to develop and document a board-approved IT strategy that is aligned with the overall business strategy.

The Central Bank expects “sufficient resources” be allocated to execute its technology strategy, including an adequate IT budget, staff levels and relevant expertise.

Firms must also have in place a “well-defined, comprehensive and functioning IT risk management framework” that enhances the level of oversight and provides clarity to the board regarding the management of risk.

In addition, it wants boards to receive updates on key issues including major technology projects, IT priorities and significant incidents as well as regular reports on key risks.

And it wants the board and senior management to possess “sufficient knowledge” and understanding of the IT-related risks facing the firm and to take steps to ensure that these risks are “well understood and properly managed”.