Financial firms need to focus on improving resilience says Central Bank of Ireland

Published: Friday, 05 October 2018 08:16

The Central Bank of Ireland (Banc Ceannais na h√Čireann) has told financial firms that they need to improve their approach to resilience and to managing IT risks. In a speech entitled ‘The need for resilience in the face of disruption: Regulatory expectations in the digital world’ at the Financial Centres Summit in Dublin, Deputy Governor Ed Sibley spoke about the need for financial firms to build resilience into their systems to meet the challenges that technological innovation and competition pose. He outlined the Central Bank’s expectations in relation to the management of IT risk and the findings of its recent onsite work.

In his comments, Mr. Sibley warned about the risks of inadequate oversight of outsourcing and highlighted the importance of building resilience in the context of cybersecurity risks.

He noted that since 2015, the Central Bank has had a dedicated team of onsite inspectors, focused on analysing financial firms’ IT infrastructure, policies and governance. He stated:

“We have seen a lot of progress in the area of IT risk management and resilience, but there is huge amount of work still to be done.”

Mr. Sibley noted that almost three quarters of findings from on-site inspections relate to weaknesses in four key areas: IT risk management, IT security, IT outsourcing, and IT continuity management.

He raised concerns “about the many findings in our work that relate to the failings of boards and senior management to understand and appreciate the significance of the IT and operational risks their firms face.” He noted that “Senior management and boards of financial services firms need to own these critical risks and build resilience in their firms to be able to endure and survive operational or technology-related shocks.”

Mr. Sibley concluded by saying that, given the potential catastrophic consequences for firms and their customers, it should not take the regulator to have to tell firms what they need to do to build resilience. The size and nature of the risk should itself be enough.  

“While looking at the opportunities for the future, many firms also need to continue to invest to get the basics right. Significant improvements are required across the system to manage the incumbent and growing technology risks within it,” warned Mr. Sibley.