Cybersecurity arrangements at Asset Management firms need to be improved - Central Bank

• Central Bank publishes findings from Inspection of cybersecurity risk management at Asset Management firms.
• The Inspection identified that some firms have made good progress in strengthening their cybersecurity risk.
• Inspection found that many weaknesses highlighted in the Central Bank’s 2016 Cross Industry Guidance on IT and cybersecurity risks are still prevalent three years later.

The Central Bank has today published the findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms. The purpose of the Inspection was to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms and to identify good practices.

The on-site inspections included a point-in-time maturity assessment of key cybersecurity risk management practices in place across the selected firms.
The key findings of the inspection are:

• While some firms have made good progress in certain areas, many of the weaknesses highlighted in the Central Bank’s 2016 Cross Industry Guidance on IT and cybersecurity risks are still prevalent three years later. Consequently, concerns still exist for the Central Bank regarding the arrangements that are in place to adequately oversee all cybersecurity risks.
• Boards and Senior Management are not prioritising to a sufficient extent the need to have a strong culture of cybersecurity embedded throughout the organisation. 
• Deficiencies in IT asset inventories were identified, where the inventories did not capture the complete IT estate and / or classify assets by their business criticality.
• Cybersecurity incident response and recovery plans did not meet the Central Bank’s expectations, with many being in draft form, incomplete or not tested with an appropriate frequency.
• While all firms reported on cybersecurity risks, the quality and frequency of the reporting was variable. In general, risk indicators used were overly focused on qualitative indicators with insufficient utilisation of quantitative indicators.

Michael Hodson, Director of Asset Management and Investment Banking Supervision said:

“While the Inspection identified that some firms have made good progress in strengthening their resilience to a cyber-attack in certain areas, we are of the view that cybersecurity is a practice that remains underdeveloped in the Asset Management industry. Firms must give more consideration and support to identifying and managing the different threats they are exposed to, whilst recognising that the inherent risks of IT are continuously increasing.

“Firms must focus on increasing the maturity of their cybersecurity model by driving a process of continuous improvement.

“The Central Bank will be following up with individual firms to ensure that they are taking steps to enhance their cybersecurity resilience and to minimise the risk to themselves and to the wider industry from a cyber-attack. We expect all Asset Management firms to fully consider these findings and evaluate their own cybersecurity risk management practices to establish if any improvements are required.”

Notes

•  “Asset Management firms” is used to denote Investment Firms and Fund Service Provider Firms authorised by the Central Bank of Ireland.
• The Thematic Inspection examined (i) cybersecurity risk governance, (ii) cybersecurity risk management frameworks and (iii) certain technical controls for mitigating cybersecurity risk. The on-site inspections included a point-in-time maturity assessment of key cybersecurity risk management practices in place across the selected firms. 
• The Central Bank’s ‘Central Bank’s 2016 Cross Industry Guidance on IT and cybersecurity risks’ (2016 Cross Industry Guidance) highlights that “firms are expected to have adequate processes in place to effectively address cyber risk. While it is recognised that there is no one size fits all solution to addressing this risk, all firms should understand the strategic implications of cyber risk. The cyber risk management elements of the IT risk management framework, including associated policies and procedures, should not be viewed as static. Firms should review and update the framework regularly to reflect threat intelligence and changes in the internal and external operational environment”.