Cyber-security is the responsibility of the board of directors, not that of the IT department, and those who do not take this responsibility seriously could face Central Bank sanctions. This is the Central Bank's message to investment firms and players in the fund services industry.
The message was conveyed in a recent letter to board members and senior management in investment firms and fund services.
It follows a Central Bank review of how investment firms, fund service providers and stockbrokers are managing cyber-security and related operational risks. The letter states that the onus is on firms to evaluate their own cyber-risk and to decide what systems and procedures need to be put in place to manage this risk. Attached to the letter is a checklist of what the Central Bank regards as best practice in managing cyber-risk and a self-assessment questionnaire.
Significantly, the letter warns that if a firm fails to comply with any relevant regulatory requirement, the Central Bank will have regard to the checklist and the questionnaire when exercising its regulatory and enforcement powers.
Board members and senior management should review the Central Bank's checklist and questionnaire carefully and take any action necessary to mitigate cyber-risk. Failure to do so could lead not only to a heightened risk of attack, but also to adverse attention from the Central Bank and possibly even the imposition of sanctions.
Our recent briefing on managing cyber-risk will help you with the first steps.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.