In September 2016 the Central Bank of Ireland (CBI) issued guidance in relation to IT and cybersecurity governance and risk management for regulated firms in Ireland. This guidance was based on supervisory work carried out by the CBI and contains some worrying insights from a Board of Directors viewpoint.
The CBI reiterated that it expects the Boards and Senior Management of regulated firms to fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management and place these among their top priorities.
Whilst the cybersecurity elements of this guidance have rightly received significant coverage due to the more public and newsworthy nature of issues such as hacking, ransomware, denial of service etc., the CBI’s findings concerning general IT service management, IT outsourcing, IT governance and IT risk make for alarming reading. In essence, the CBI has found that:
IT Outsourcing continues to rise but there is inadequate due diligence being carried out on prospective service providers and that service level agreements and contracts are not robust. Given the impact on the regulated firm and its customers of poor systems performance and/or systems failure, this is a significant omission. Furthermore, the CBI points out that service levels and performance are neither being well monitored nor reported to the Board. The guidance also refers to Cloud services and contracts in this context.
The quality of IT Service Management and Operations is a cause of concern to the CBI. The supervisory work identified issues in areas such as, inter-alia, Incident Management; IT Change Management; IT Project Management, Planning & Documentation and Disaster Recovery/Business Continuity Planning and highlighted the expectation that best practices such as ITIL are incorporated. As with outsourcing above, the CBI notes that deficiencies in board reporting exist in these areas.