Further to our previous bulletin in May 2015, the Central Bank of Ireland ("Central Bank") has, on 23 September 2015, published the findings of its review of the management of cyber security and related operational risks across investment firms, funds service providers and stockbrokers. The objective of the review was to examine the status of firms' control environments, (including policies and procedures), to detect and prevent cyber-security breaches, as well as to assess board oversight of cyber-security.
Relevance of Cyber-Security
While the review focused on the entity types highlighted above, it is also very relevant to investment funds, banks and insurance companies. Indeed, while cyber-security is a current theme for the Central Bank, it should, in any case, be a central focus for all firms. Weaknesses in this area expose a firm to significant risks, including breaches of data security and client confidentiality provisions, failure to make accurate reporting to clients or regulators, and fraudulent activity, thereby resulting in potentially serious financial and reputational damage to firms.
The Central Bank indicated that it is the board's responsibility to ensure that a firm is properly governed and that it has the necessary processes and systems in place to protect the firm and its assets against cyber risk. It stressed that effective corporate governance should be combined with appropriate I.T. and cyber-security risk management to protect against cyber-crime. The Central Bank has issued a list of best practices that firms should consider with regard to cyber-security risk at Appendix A. It includes the following recommendations:
the board should drive a culture of security and resilience throughout the firm; cyber-security should be a standing agenda item for discussion at board meetings; a clear reporting line to the board should be established for incidents; and firms should report any substantial attacks, or successful breaches of their systems to the Central Bank. A questionnaire has also been issued by the Central Bank, which is attached at Appendix B. This is designed to assist firms when carrying out an evaluation of their cyber-security capabilities. The Central Bank has highlighted that, where there is non-compliance with relevant regulatory...