Wednesday, March 18, 2020
The Central Bank of Ireland (Central Bank) recently undertook a Thematic Inspection of Cybersecurity Risk Management (Thematic Inspection) in Investment Firms and Fund Service Providers (Asset Management Firms). The purpose of the inspection was to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms and to identify good practices.
The Thematic Inspection examined (i) cybersecurity risk governance, (ii) cybersecurity risk management frameworks and (iii) certain technical controls for mitigating cybersecurity risk. The on-site inspections included a point-in-time maturity assessment of key cybersecurity risk management practices in place across the selected firms.
The risks associated with IT and cybersecurity are key concerns for the Central Bank. The Central Bank’s ‘Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks 2016’ (2016 Cross Industry Guidance) highlights that “firms are expected to have adequate processes in place to effectively address cyber risk. While it is recognised that there is no one size fits all solution to addressing this risk, all firms should understand the strategic implications of cyber risk. The cyber risk management elements of the IT risk management framework, including associated policies and procedures, should not be viewed as static.
Firms should review and update the framework regularly to reflect threat intelligence and changes in the internal and external operational environment”.