Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks (September 2016)
Good morning ladies and gentlemen.
I would like to start by thanking you all for coming out this morning to this breakfast event on Information Technology (IT) and cybersecurity risks and risk management in the financial sector. We would like to say that our meticulous planning and forward thinking allowed us to coincide the timing of our event with the week that holds International Data Privacy day on the 28th January, but that might have been more a question of luck. Regardless of how it was achieved, it is apt timing as it reinforces one of our key objectives of increasing awareness of data and IT system security.
1. Introduction
Firms are increasingly dependent on technology and firms, customers and markets are increasingly interconnected through technology. This brings new risks to the fore, such as IT and data security risks and intensifies existing ones. Just this month, the World Economic Forum published its 2017 Global Risks Report. Data fraud or theft and cyber-attacks ranked number five and six in their top ten global risks in terms of likelihood of occurrence.
Risks and opportunities around IT, fintech, cybersecurity, big data and data privacy are increasingly hot topics, both in the business and the regulatory world.
Cyber-attacks are an increasing and constantly evolving threat, presenting a major challenge to financial firms. Another challenge for some firms is addressing the complexities and risks of aging IT infrastructure while trying to be sufficiently agile to meet the growing consumer demand for digital service delivery. Firms are also facing a host of new regulation in the technology space. The new EU General Data Protection Regulation will increase regulatory requirements for firms but will also drive better solutions to maintain information security and data privacy, in a world where data is fast becoming the most valuable asset. In a similar vein, there is the forthcoming Network and Information Security Directive which aims to strengthen cyber resilience in the providers of critical services to economy.
IT is a core enabler for most if not all financial services provision today but it is also fast becoming a driver of the business strategy. Developments in technology will bring business opportunities but will increase the breadth and complexity of threats and vulnerabilities that firms must handle.
2. Central Bank Approach
For the Central Bank, the risks associated with the management of IT and cybersecurity are a key concern given their potential to have serious implications for the prudential soundness of firms, consumer protection and, more broadly, financial stability and the reputation of the Irish financial system.
So what have we been doing in the Central Bank in response to this? The Central Bank is requiring firms to take actions to better address IT related risks. While we would have, for many years now, assessed operational risk within firms, we have over the recent period strengthened and sharpened our focus on IT and cybersecurity risk. This evolution has been manifested in a number of ways, including:
- Enhanced supervisory engagements on IT related risks through onsite inspection teams, thematic reviews, targeted and ongoing supervisory engagement on operational, governance and strategic risks;
- The enhancement of our IT onsite inspection capabilities;
- The publication of Cross Industry Guidance on IT and Cybersecurity Risks in September last year – a copy of which is in your conference packs;
- Seeking auditor assurance on the governance arrangements around cybercrime in place in some of our High Impact firms;
- On an ongoing basis, actively coordinating with relevant counterparts. For example, with the ECB/Single Supervisory Mechanism and the European Supervisory Authorities on the development of IT related policy. In the context of the forthcoming Network and Information Security Directive, we are also engaging with the Department of Communications;
- Enhanced communication in order to heighten industry awareness on these issues.
3. Key Messages on the Guidance
The findings from the aforementioned supervisory work indicate that, in general, firms have insufficient awareness, understanding and prioritisation of IT and cybersecurity risks. IT systems and controls are not sufficiently robust. Firms are not doing enough to minimise the potential impact of an IT failure or successful cyber-attack on their business.
The publication of the Guidance was a direct response to these findings. The Guidance is a clear statement of the standards and quality in this area that Central Bank supervisors will expect to see firms meeting.
We are demanding increased effectiveness in IT risk management and governance in order to strengthen the operational resilience of the financial sector to IT failures and cybersecurity incidents.
We regard it as key that Boards and Senior Management do materially better in relation to their oversight of and engagement in Information Technology aspects of their firms' business. They need to fully recognise their responsibilities in relation to IT related governance and risk management, placing these among their top priorities. There needs to be a greater sense of urgency at this level in addressing IT risks. Boards and Senior Management have a leading role in promoting an IT and security risk conscious culture within the firm. They must have a good understanding of how technology fits within their firm’s business model and the key IT risks their firms faces.
Information Sharing
In relation to cybersecurity specifically, there is no “one size fits all” approach, no silver bullet. Each firm must identify the threats, vulnerabilities and risks specific to the firm and put in place measures to prevent, detect and respond to security incidents. However, there is one area where firms share a common interest and can benefit from synergies from working together. This is in the sharing of information and intelligence on cyber threats and events, which is a crucial element to success in defending against cybercrime.
Although reputational concerns can cause firms to hesitate in sharing information on attacks, such information sharing is very important for financial firms both to be aware of what is occurring in a timely manner and to learn from and defend against similar attacks. The Central Bank strongly encourages firms to participate in and leverage off information sharing networks. We recognise that some firms are engaging with relevant forums in this regards, however the uptake among Irish financial services firms needs to be broadened. This is something that we will be looking at further in the period ahead.
4. Concluding remarks
Moving onto today’s event. This session is a natural follow-on from the publication of the Guidance, where we hope to stimulate an open and constructive discussion on the challenges firms are facing in addressing IT related risks. We hope that there will be a mutual sharing of good practices and some practical approaches that may be helpful in effectively managing and mitigating these risks.
I hope you find the discussion both interesting and useful and that you leave with some ideas for initiatives that will help you strengthen your firms approach and resilience.