Cyber risk in financial firms is a key concern – Central Bank Guidance

• Risks associated with information technology and cybersecurity are a key concern for the Central Bank.
• New Guidance incorporates key findings from supervisory work carried out since 2015. 
• Firms must increase resilience to IT failures and cybersecurity incidents. 

The Central Bank has today issued guidance on IT risk management and cybersecurity for financial services firms. These are key concerns for the Central Bank given their potential impact on firms and their customers, and the risks for financial stability.

Information technology is now at the heart of the supply of financial services. The incidence of cyber-attack and business interruption is on the increase and firms should assume they will be successfully targeted. The security and resilience of IT systems, their governance and management must improve to reflect this reality.

The Central Bank expects Boards and Senior Management of regulated firms to fully recognise their responsibilities for these issues and to put them among their top priorities.

Firms must robustly address key issues such as alignment of IT and business strategy, outsourcing risk, change management, cybersecurity, incident response, disaster recovery and business continuity. Firms need to make sure that they understand these risks and that they are managed effectively. 

This guidance sets out the Central Bank's expectations of firms in this area. The Central Bank's supervisory engagement will reflect this guidance with firms assessed accordingly.

Director of Policy & Risk, Gerry Cross, said: “Developments in technology have fundamentally changed business processes and models in financial firms.  These advancements have resulted in benefits for firms and their customers.  However, they also bring significant risks as firms become increasingly interconnected and more reliant on complex IT systems, including outsourcing service providers.”  

“The Central Bank is demanding increased effectiveness in this area.  We are undertaking considerable work to require improved IT risk management and cyber resilience across regulated firms. This includes enhanced supervisory capabilities and increased focus on these risk areas."

A short interview with Director of Policy & Risk Gerry Cross is also available on our You Tube channel.