Address by Director of Policy and Risk, Gerry Cross, to ACOI Annual Conference

8 November 2016

IT and cyber security risks facing the Financial Services Sector

1. Introduction

Good morning ladies and gentlemen.

It is a pleasure to here once again at the ACOI Annual Conference. I welcome the opportunity to talk about IT and cybersecurity risks facing the Financial Services Sector. In my remarks, I will talk about the Central Bank’s supervisory experience and current expectations, as set out in our recently published Guidelines to the industry, in relation to these important risks which go to the heart of financial services today.

2. IT and cyber risk landscape: All change and no change

The theme of this conference is "All change or no change". While it is true that we can say, in respect of IT risk that it has been a facet of business life since the 1980’s when many industries including financial services became reliant on computing technology. And that cybersecurity risk has been present since computers became connected via the internet shortly afterwards. Nonetheless it is important to recognise that all financial firms, and their regulators, now operate in a context which is significantly different than what has gone before.

The difference is this: technology is no longer simply a business enabler. It has, with the gradual passage of time become intrinsic to the provision of financial services and the achievement of firms’ strategic objectives. It is essential that this change is recognised and placed at the centre of firms' planning and actions.

It was with mixed emotions that I learned recently that a frog placed in a container of water that is gradually heated does not in fact wait around while he or she is boiled alive. In fact, the frog will jump out at about 25 degrees. This of course is good news for the frog and for batrachians generally. But less so for those of us in search of a good metaphor. Nonetheless, metaphor or no metaphor, if firms fail to recognise the extent to which IT is no longer an enabler but rather is at the heart of what financial service providers do, then they are very unlikely to meet the standards of sound risk management that the Central Bank expects.

This dependence on information technology comes together with an increasing complexity of firms’ IT architecture. Today, the compromise of a single element of IT infrastructure can potentially lead to material business interruption, consumer detriment, reputational damage, and financial loss. This risk is increased with some firms’ continued reliance on older IT systems.

Financial services firms are operating in an increasingly interconnected, complex, and rapidly changing world. Long-term technological trends, such as cloud computing, the continued expansion in the use of mobile devices, big data, and the speed with which innovations give way one to the other. All of these give rise to great opportunity - both for consumers of financial services and for those who provide them. But also to significant risks.

And, as if all of that wasn't enough in itself, on top of it the scale and sophistication of cybercrime activities continue to broaden and evolve, posing a sustained and serious threat to financial firms.

3. Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks

The Central Bank’s overarching goal in this area is to ensure that the management of IT related risks by financial institutions is of sufficient quality and effectiveness that the objectives of the Central Bank in relation to soundness and stability, a well-functioning financial services sector, and consumer protection are achieved.

On the 13th of September, the Central Bank published Cross Industry Guidance in respect of IT and Cybersecurity Risks for all regulated firms. The Guidance articulates our current expectations in relation to the governance and management of IT and cyber related risks by firms. It sets out good practices in these areas. The guidelines are designed with proportionality in mind: they will have different implications for large complex firms than for smaller and simpler ones. They are a clear statement of the standards and quality in this area that Central Bank supervisors will expect to see firms meeting.

From the feedback we have received it seems that the Guidance is seen as being an important and valuable new feature of the landscape. It appears that firms and their management are finding that our setting out our expectations like this has provided useful clarity in this area and that it will allow firms to address the issue with increased confidence. I might mention here, given the audience, that we have also received similar feedback from people operating in the non-financial sector.

It is worth noting that the publication of this Guidance was also designed to operate as a catalyst for enhanced consideration and discussion of these and related issues. So we do welcome all feedback, and do wish to engage in ongoing dialogue with the industry as we all work to address the challenges posed by this constantly evolving area of risk.

Findings from our recent supervisory work indicate that, in general, financial firms have insufficient awareness, understanding and prioritisation of IT and cybersecurity risks. IT systems and controls are not sufficiently robust. Firms are not doing enough to minimise the potential impact of an IT failure on their business, reputations and the wider financial system. The risk of consumer detriment due to IT and cybersecurity incidents is a particular concern.

The Central Bank’s objective in issuing this Guidance is to drive the actions necessary to raise standards of governance and management of IT related risks across supervised sectors and to drive increased resilience of financial firms and the financial sector to disruption caused by IT failures or cybersecurity incidents.

It is important to mention of course, that Guidance from the Central Bank cannot encompass all risks and necessary actions for all regulated firms. It is management’s responsibility to understand the specific IT related risks that the firm faces and to ensure that these are sufficiently mitigated in line with the firm’s risk appetite.

Let me now speak briefly on each of the main areas covered in the Guidance, outlining some of the key findings and our associated expectations.

4. Governance of IT related risks - strategic alignment

Success in today’s challenging business environment requires a strong understanding of that environment and its related risks as well as an ability to develop, adapt and implement an effective business strategy that is aligned throughout the organisation.

For the vast majority of financial firms, IT is a core enabler of the business. There is a rebuttable presumption that most, if not all, of the critical business functions in financial services firms today are supported by IT. However, our findings suggest that firms very often view IT as an expense to be managed rather than as a business enabler or a driver of future growth. This mind-set has contributed to a lack of strategic alignment between the business and IT strategies, increasing the risk that the firm’s strategic objectives will not be achieved. The IT strategy needs to be informed by and aligned with the overall business strategy so that it can deliver on objectives to support the current and future strategic direction of the firm. This alignment will enable firms to make better investment and resourcing decisions with regard to IT.

We regard it as key that Boards and Senior Management do materially better in relation to their oversight of and engagement in Information Technology aspects of their firms' business. They need to fully recognise their responsibilities in relation to IT related governance and risk management, placing these among their top priorities.

We have seen a lot the type of thinking and approach which starts from the idea that "IT, that is the realm of the CIO and / or the IT Division; it is too technical for me as a Director to say or do much about." This will not do. It is essential that IT strategy and key IT risks are properly understood by the Board and Senior management and that they engage in these to provide appropriate direction and oversight in the same way as they do for any other core facet of the business.

This will involve a combination of enhancing the overall level of knowledge and understanding of board members and senior management; ensuring that the Board as a whole has an appropriate skill set and range of expertise; and good translation of technical concepts into language and propositions that can be effectively understood and determined by board members and senior management.

Boards and Senior Management have a leading role in promoting an IT and security risk conscious culture within the firm. They must have a good understanding of how technology fits within their firm’s business model and the key IT risks their firms faces. We expect the Board to approve the business aligned IT strategy and crucially, to ensure that sufficient resources are provided to achieve the IT strategy. IT investment has been under resourced in many firms in recent years due to the recession, although this is beginning to be addressed in some firms.

5. Risk Management - comprehensive and effective

Firms must have full visibility of their IT systems and information assets in order to design and implement an effective risk and control framework. As a general observation, we are finding that firms are not taking an overall view of all of the parts of their IT network. They are not performing complete end-to-end reviews to identify all of the risks and weaknesses on their networks.

There should be a well-defined, comprehensive and effective IT risk management framework embedded within the firm. It should encompass identification, assessment and monitoring of IT risks as well as the design and implementation of risk mitigation strategies and the testing of their effectiveness. Our findings to-date indicates that risk assessment and identification processes are insufficiently robust. Firms are not performing IT risk assessments on a regular basis and even where they do, they are often incident driven and lacking in the forward-looking assessments of new or emerging risks that the Central Bank would expect to see.

More specifically:

• We have identified weaknesses in the maintenance of IT risk registers. Some firms did not maintain IT risk registers, and where they did they were not comprehensive, kept up to date or prioritised.
• Data is not being recognised or properly protected as a valuable asset. Many firms do not have adequate data classification frameworks or policies in place that enable the identification of critical or sensitive data so that it may be appropriately safeguarded.
  Incident response capabilities vary greatly between firms. In some cases, firms don’t have credible business continuity plans in place to maintain critical functions in the event of an IT disruption. We have also observed that even the better quality business continuity planning often did not include consideration of cybersecurity incident scenarios.
• Some financial services sectors continue to use older technology architectures (“legacy systems”) to support critical business processes. There are potential risks associated with legacy systems which need to be managed by the firm. For example, when such systems are no longer supported by the initial vendor, the firm’s ability to ensure system availability and business continuity can be compromised. Firms must be able to demonstrate to the Central Bank that they have assessed the risks associated with the continued maintenance of older systems and that appropriate controls are implemented to effectively manage the associated risks. Where such systems support critical business operations, firms should have a strategy in place to deal with ageing infrastructure including assessing where additional investment is required and whether to transition to next generation capabilities over time.

6. Cybersecurity – the cultivation of a security conscious organisational culture

Financial services providers’ vulnerability to cybersecurity risk has grown, both as a result of their growing dependence on complex IT systems and because of the increase in cybercrime activity. Attacks are becoming more sophisticated, more targeted and progressively more difficult to detect, with the financial sector one of the most highly targeted. Cybersecurity risks (data theft and fraud), are now considered to be one of the top ten world-wide risks, according to the World Economic Forum Global Risks Report 2016 (link). There is also evidence that as larger firms have become better defended cybercriminals are moving down the business food chain and targeting small and medium sized firms.

The client assets and customer personal data that regulated firms hold are prime targets for cybercrime. Deputy Governor Cyril Roux spoke on the topic of cyber risk in detail last year and, to draw from his remarks – cyber risk is now a permanent feature of business and regulatory life. While supervisors have an important role to play in fostering robust oversight of cybersecurity risks, the onus is on firms to manage these risks.

Cybersecurity risk is not simply an IT problem or a process problem; it is also a people problem. People are “often the most vulnerable and unpredictable part of a firm’s tech infrastructure”.¹  The human factor is often considered the biggest risk by security professionals.

Firms should address the “human factor” by promoting a culture of security awareness throughout the firm. Security awareness training should be provided on a regular basis so that staff knows how to recognise and safely handle potentially suspicious activity (such as phishing emails) and understands their security responsibilities. In a poor security aware environment, staff becomes a weak link in the security chain.

Our supervisory findings indicate that firms are not sufficiently prioritising cyber risk and are not adequately considering its potential implications. We have identified a number of inadequate practices including failure to develop or properly implement a plan to address the specifics of cyber risk, cyber risk assessments not being performed on a regular basis, weak security monitoring, sensitive data not encrypted and insecure protocols used for data transmission.

While it is recognised that there is no ‘one size fits all’ solution to addressing this risk, all firms should understand the strategic implications of cyber risk. Cyber risk should be managed within the context of overall IT risk management. Firms must have a well-considered and documented strategy in place to address cyber risk. This should enable the effective identification of threats, vulnerabilities and risks and support the prevention and detection of security incidents. It should also facilitate well-developed security incident handling capabilities and recovery planning for the stabilisation and continuity of operations in the immediate aftermath of a security incident.

The Central Bank encourages firms to participate in cybersecurity information sharing networks. These can provide valuable intelligence on current threats, attacks and vulnerabilities which will support effective security risk identification and mitigation. I will say a bit more about this in a moment.

7. Outsourcing of IT systems and services

Many sectors in the international and domestic financial services industry outsource key aspects of their business including services related to IT. There is an increasing trend in this regard. Outsourcing however, does not reduce the inherent risks associated with IT or the business lines that are using it. Though it can be a part of the approach to managing those risks, if done to the proper standards, it also introduces a new set of risks. Importantly, in the eyes of the Central Bank, outsourcing in no way reduces the responsibility of the firm for the effective management of IT risks.

Supervisors have identified weaknesses across the spectrum of IT outsourcing management. These include low quality due diligence performed in the selection of outsourcing providers, poorly constructed outsourcing agreements, and inadequate monitoring of providers’ service performance. Also noted was inadequate control of chain-outsourcing (“fourth party risk”) and a failure to understand the legal complexities relating to outsourcing to cloud computing services in respect of data and records. We have also noted that, generally speaking, there is often undue reliance by subsidiary firms on Group IT systems and services, with limited in-house IT expertise locally.

The capabilities and the service offering of the prospective outsourcing service provider must be clearly understood by the firm. Poor due diligence in this regard can result in a firm receiving a lower level, breadth or quality of service than it requires to maintain operations. Further, inadequate monitoring of service delivery performance can result in sub-optimal service delivery going undetected. The Central Bank's ability to supervise and inspect all relevant risks and their management must not be impaired.

Firms are required to document outsourcing agreements. What we have frequently observed is that these are light on key provisions, for example, regarding service availability, performance requirements and security provisions. This has resulted, for example, in situations where no formal out-of-hours support is available for outsourced and business critical IT services.

The decision to outsource critical IT services is a strategic one and requires full consideration of associated risks. Firms need to have a good understanding of the process flows for their critical operations and where the potential failure points lie in that flow. Firms should understand if any of those potential failure points are outsourced and what role the outsourcing provider might play in a failure. In this context, it is important that the firm satisfies itself that its service provider has adequate business continuity and disaster recovery arrangements in place.

The Central Bank will be paying closer supervisory attention to the risks associated with outsourcing, including IT outsourcing, in the coming months.

8. Looking ahead

The Central Bank has sharpened its focus on IT related risks in supervised firms during 2015 and 2016. Our supervisors have carried out a range of inspections and reviews to assess in particular, the operational, governance and strategic risks related to cybersecurity and IT in firms. To support this work we have recruited supervisory IT risk specialists to develop our expertise in this area and established a new Operational risk policy team. The Central Bank will continue to drive firms to take actions to better address IT related risks. Our supervisory oversight will continue to intensify in future engagements with firms and will be informed by the issues raised and good practices outlined in the Guidance. Supervisors will discuss with firms their progress in understanding and addressing these issues.

The Central Bank believes that co-operation and co-ordination with external stakeholders is important to achieving our objectives in this area. Central Bank representatives contribute on an ongoing basis to European regulatory work-streams on IT related risks, in particular within the European Central Bank/the Single Supervisory Mechanism and European Supervisory Authorities. We are also engaging with the Department of Communications, Climate Action and the Environment in their work to prepare for the implementation of the EU Network and Information Security Directive (“NISD”).²

There are a number of features of the landscape that we would expect to see develop in the coming period. We expect firms to develop a better understanding of the cyber threat environment and use threat information to inform their cybersecurity and risk management practices. Cyber risk and cyber threat have important differences from other areas of the risk landscape. These differences derive from a number of features. These include the fact that they are embedded in a field of technical complexity, but are often combined with old-fashioned but highly developed "con" aspects; the rapid development that is a hallmark of the landscape; the potential for significant profits for perpetrators leading to high-levels of determination and persistence on their part; and a wide range of potential entry points; to mention but a few.

It is our view that the different nature of this threat landscape calls for a different type of response by those exposed to it. One tool which firms should strongly consider in this regard is active participation in cybersecurity information sharing networks. It is noted that some firms are engaging with relevant forums in this regards, however the uptake among Irish financial services firms needs to be broadened. One of the obstacles is a reluctance amongst financial firms to share information as to incidents they have experienced because of a fear of appearing vulnerable or less than effective in securing their systems. Another is the fear of disclosing sensitive personal or business information. These are of course understandable concerns. In other jurisdictions good progress has been made in overcoming them. We should seek to emulate this here. The Central Bank plans to engage with the sector over the coming period in this regard.

The need to examine how firms define resilience and the quality and effectiveness of the plans which are in place to cope with risks to individual firms as well as potential systemic risks – this is also likely to become a focus of supervisory attention over the coming months.

The Central Bank will continue to engage in open dialogue with firms and industry stakeholders in order to inform future policy development in this area. Our thinking will continue to evolve as our knowledge of these areas deepens through supervisory engagement and policy formulation. We will continue to develop our approach in line with existing and proposed European guidelines.

9. Concluding remarks

Information technology has fundamentally changed business processes and models in financial firms. These advancements have resulted in benefits for firms and their customers. However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.

The Central Bank is demanding increased effectiveness in this area. We are undertaking considerable work to drive improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities, increased focus and ongoing policy development around these risk areas.

If I could leave you, as the community of compliance officers in Ireland, with one final thought it would be this question. Is your firm, in its governance and risk management practices, aligned with the Central Bank’s recently published guidelines?

Thank you for your attention this morning.

-------------------------------------------------

Thanks to Vivienne Nolan for her significant contribution to this speech.

--------------------------------------------------------------------------------

¹IOSCO & WFE Joint Staff Working Paper ‘Cybercrime, securities markets and systemic risk’, July 2013 

²NISD is primarily focused on protecting the critical infrastructure of member states from cyber-attack, as well as requiring organisations that are identified as providing ‘essential services’ to implement robust network and information security standards and report significant cyber incidents that occur.