"The need for resilience in the face of disruption: Regulatory expectations in the digital world" Speech by Deputy Governor Ed Sibley

• Financial services firms must improve in getting the basics right in their IT infrastructures and governance
• Senior management and boards of financial firms need to better demonstrate their understanding and oversight of these critical risks, and so build resilience in their firms
• Firms that do not adequately invest will be left behind

Speaking at the Financial Centres Summit in Dublin Castle this morning, Deputy Governor, Prudential Regulation, Ed Sibley spoke about the need for financial firms to build resilience into their systems to meet the challenges that technological innovation and competition pose. He outlined the Central Bank’s expectations in relation to the management of IT risk and the findings of its onsite work.

In his comments, Deputy Governor Sibley discussed the opportunities and challenges of fintech, warned about the risks of inadequate oversight of outsourcing and highlighted the importance of building resilience in the context of cybersecurity risks.

He noted that since 2015, the Central Bank has had a dedicated team of onsite inspectors, focused on analysing financial firms’ IT infrastructure, policies and governance. He stated “We have seen a lot of progress in the area of IT risk management and resilience, but there is huge amount of work still to be done. Almost three quarters of our findings from on-site inspections relate to four key areas: IT risk management, IT security, IT outsourcing, and IT continuity management”.

He raised concerns “about the many findings in our work that relate to the failings of boards and senior management to understand and appreciate the significance of the IT and operational risks their firms face.” He noted that “Senior management and boards of financial services firms need to own these critical risks and build resilience in their firms to be able to endure and survive operational or technology-related shocks.”

He referenced a recent cross-sector survey on outsourcing conducted by the Central Bank, which identified issues across the life-cycle of outsourcing arrangements. He cited aspects of poor governance and controls around the risk assessment, inadequate monitoring and reporting and a lack of exit strategies or contingency plans.

He concluded by saying that, given the potential catastrophic consequences for firms and their customers, it should not take the regulator to have to tell firms what they need to do to build resilience. The size and nature of the risk should itself be enough.  “While looking at the opportunities for the future, many firms also need to continue to invest to get the basics right.  Significant improvements are required across the system to manage the incumbent and growing technology risks within it.”