Further to our previous bulletin in May 2015, the Central Bank of Ireland ("Central Bank") has, on 23 September 2015, published the findings of its review of the management of cyber security and related operational risks across investment firms, funds service providers and stockbrokers. The objective of the review was to examine the status of firms' control environments, (including policies and procedures), to detect and prevent cyber-security breaches, as well as to assess board oversight of cyber-security.
Relevance of Cyber-Security
While the review focused on the entity types highlighted above, it is also very relevant to investment funds, banks and insurance companies. Indeed, while cyber-security is a current theme for the Central Bank, it should, in any case, be a central focus for all firms. Weaknesses in this area expose a firm to significant risks, including breaches of data security and client confidentiality provisions, failure to make accurate reporting to clients or regulators, and fraudulent activity, thereby resulting in potentially serious financial and reputational damage to firms.
The Central Bank indicated that it is the board's responsibility to ensure that a firm is properly governed and that it has the necessary processes and systems in place to protect the firm and its assets against cyber risk. It stressed that effective corporate governance should be combined with appropriate I.T. and cyber-security risk management to protect against cyber-crime. The Central Bank has issued a list of best practices that firms should consider with regard to cyber-security risk at Appendix A. It includes the following recommendations:
- the board should drive a culture of security and resilience throughout the firm;
- cyber-security should be a standing agenda item for discussion at board meetings;
- a clear reporting line to the board should be established for incidents; and
- firms should report any substantial attacks, or successful breaches of their systems to the Central Bank.
A questionnaire has also been issued by the Central Bank, which is attached at Appendix B. This is designed to assist firms when carrying out an evaluation of their cyber-security capabilities. The Central Bank has highlighted that, where there is non-compliance with relevant regulatory requirements, it will have regard to Appendix A when exercising its regulatory and enforcement powers.
What Action should Firms take?
We recommend that regulated entities carry out a risk assessment of cyber-security, using the Central Bank's Appendices as a framework. This review should consider what the firm itself does and what activities or services are provided by third parties which result in another entity holding information on systems on behalf of the firm.
Firms, which carry out their own system-based regulated activities, such as MiFID firms, should focus on their own governance and IT infrastructure, while also considering any outsourced providers or vendors. Alternatively, entities, such as self-managed Investment Companies, which outsource their regulated functions to firms such as Administrators, Custodians, or Investment Managers, would need to satisfy themselves that the cyber-security standards of firms, to which they delegate functions, are robust and that potential impact on the entity is minimized, should a cyber-attack occur at a service provider. This would necessitate incorporating requirements regarding cyber-security risk into contracts and oversight models. In addition, contingency planning for both the firm itself and its service providers/vendors should be a key focus for firms.
In addition, firms relying on parent or group companies, for their IT infrastructure, are recommended to have a formal board sign off of its local policies to ensure the appropriateness for the Irish entity. Firms should consider engaging the services of an independent IT specialist to carry out testing on the resiliency of the systems on a regular basis, on the basis of the outcome of the risk assessment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.