Cyber Security in the Financial Services Sector

There is an increased focus on the threat of cyber attacks in the financial services sector in Ireland. This is in part due to the escalating number of attacks on firms each year, and also due to the highly sensitive and valuable nature of the data that these firms hold.

We have put together this page as an evolving resource that will help to keep you up to date with the latest IT security insights from industry and best practice recommendations from the Central Bank.


Cyber Security: The Facts

$3.9B

the number of data records stolen since 2013

1/3

of organisations have experienced a data breach in the past 12 months

27%

of companies said it affected their bottom line

Source: Gemalto Data Security Confidence Index


Top 10 Global Business Risks for 2016:


  1. Business Interruption
  2. Market Developments
  3. Cyber Incidents
  4. Natural Catastrophes
  5. Changes in Legislation/Regulation
  6. Macroeconomic Developments
  7. Reputational / Brand Damage
  8. Fire
  9. Political Risks
  10. Theft, Fraud and Corruption

Source: Allianz Risk Barometer: Top Business Risks Survey 2016

IT Security Checklist

The Central Bank expects that the following guidelines will be implemented in regulated firms. For firms that are not regulated, this still serves as a useful reference for assessing your own cyber security practices.

(Download the full PDF)

Board and Senior Management

  1. Firms develop and document a Board approved comprehensive IT strategy that is aligned with the overall business strategy. IT strategy objectives should include maintaining the capacity to effectively anticipate, detect and recover from cybersecurity attacks on the firm so as to ensure overall IT resilience.
  2. Sufficient resources are allocated to execute the business-aligned IT strategy, including an adequate IT budget, staff levels and relevant expertise. There is a plan in place to identify and address any resourcing and capability gaps that would obstruct the achievement of the wider strategic objectives, including those relating to the execution of change management on a present and forward-looking basis.
  3. Firms have in place a well-defined, comprehensive and functioning IT risk management framework that enhances the level of oversight and also provides clarity and gives assurance to the Board regarding the management of IT risk within the firm.
  4. The Board receives updates on key IT issues including major IT projects, IT priorities and significant IT incidents as well as regular reports on key IT risks. Where these reports deal with IT risks which fall outside the firm’s risk appetite, they should include plans to mitigate those risks.
  5. The Board as a whole and Senior Management possess sufficient knowledge and understanding of the IT related risks facing the firm and take steps to ensure that these risks are well understood and properly managed throughout the firm and can demonstrate this to supervisors.

IT Specific Governance

  1. Firms have a sufficiently robust IT governance structure in place to facilitate effective oversight of the management of IT risks, taking into consideration the nature, scale and complexity of the business operations of the firm.
  2. Documented policies, standards and procedures which address the identification, monitoring, mitigation and reporting of the firm’s IT related risks are in place. These should be regularly reviewed and updated to reflect changes in the internal IT operating environment and the external security environment.
  3. The roles and responsibilities in managing IT risks, including in emergency or crisis decision-making, are clearly defined, documented and communicated to relevant staff. A clearly defined role(s) is established, at a sufficiently senior position within the firm, which is responsible for IT and cybersecurity matters.
  4. Firms which are part of a larger multinational group ensure that group driven IT strategies and governance documents are appropriately tailored from a regulatory and operational perspective for the Irish firm.
  5. The governance structure provides for independent assurance on the effectiveness of the IT risk management, internal controls and governance processes within the firm.

IT Risk Management

  1. Firms develop, implement, maintain and communicate an appropriate IT Risk Management (“ITRM”) framework. The ITRM framework should:
    • facilitate a comprehensive view of the IT risks including a clear line of sight of the links and dependencies between people, business processes and the IT systems and assets that support those people and processes;
    • encompass risk identification, assessment and monitoring, the design and implementation of risk mitigation and recovery strategies and the testing of their effectiveness; and
    • set out staff and senior management responsibilities and accountabilities.
  2. Relevant best practices and internationally adopted frameworks for IT risk management are considered, and incorporated as appropriate, in the development of the ITRM framework.
  3. IT risk assessments are conducted at regular intervals. Assessments are comprehensive, consider internal and external sources of risk, and have appropriate parameters for evaluating and prioritising risk such as risk likelihood and potential impact on the business operations of the firm.
  4. The firm can demonstrate that it has assessed the risks associated with the continued maintenance of older (“legacy”) systems and that appropriate controls are implemented to effectively manage the risks associated with older IT infrastructure. Where legacy systems support critical business operations, firms have a strategy in place to deal with ageing infrastructure including assessing where additional investment is required or whether to transition to next generation capabilities over time.
  5. A thorough inventory of IT assets, classified by business criticality, is established and maintained. A process (Business Impact Analysis) is in place to regularly assess the business criticality of IT assets, even in cases where it may transpire that there are no IT business critical assets.
  6. An up-to-date list of identified IT risks (often referred to as the “IT risk register”) is developed and maintained, wherein the risks are prioritised and described in sufficient detail so as to be clearly understood by the firm, enabling their proactive management.
  7. Adequate management processes and plans for IT incident detection, notification and escalation are developed by firms. Appropriate recovery and resumption objectives are developed to prepare for when incidents occur and reducing impact when they do, with prioritisation given to the recovery and resumption of critical functions.
  8. The firm notifies the Central Bank when it becomes aware of an IT incident that could have a significant and adverse effect on the firm’s ability to provide adequate services to its customers, its reputation or financial condition.
  9. Processes are developed, implemented and maintained to ensure that data is appropriately classified and that critical or sensitive data is correctly identified and adequately safeguarded.
  10. The effectiveness of IT controls is subject to periodic independent review and, where warranted given the nature and scale of the firm, penetration testing is carried out. Such reviews are conducted by individuals with appropriate IT audit expertise and details of the key findings and associated implications are provided to the Board. Weaknesses identified in the control environment must be remediated in a timely manner.

IT Disaster Recovery and Business Continuity Planning

  1. Sufficient resources are provided to support effective DR and BC planning, testing and execution.
  2. Documented Business Impact Analysis with complete end-to-end reviews of business critical processes showing the impacted resources, business processes and their interdependencies is conducted.
  3. Firms consider a range of plausible event and disaster scenarios, including cybersecurity events in DR and BC planning.
  4. A documented DR plan is in place that enables the firm to recover from and resume services in the event of a disaster or emergency situation. The plan includes details of targeted recovery timeframes.
  5. A documented BC plan is in place that enables the firm to maintain IT and business operations and services in the event of a disruption. For critical systems and dependent services, firms should have a level of availability commensurate with the criticality of these services and ensure that 24/7 support capabilities are in place.
  6. Firms have a documented back-up strategy for critical data and conduct regular back-up and restore tests to verify the restore capabilities for critical systems.
  7. DR and BC plans are tested periodically, as appropriate for the firm. The level of testing, ranging from walkthrough to 24/7 operations, is commensurate with the firm’s dependency on IT or other critical infrastructure. Plans are also regularly reviewed (at least annually) and updated to reflect changes in the firm’s operating environment and to incorporate lessons learned from testing.
  8. The Board receives updates on the scenarios considered and the development and testing of DR and BC plans and understands what the objectives of these are in terms of maintaining availability of critical IT systems and business operations.

IT Change Management

  1. Firms have formal IT change management processes, including approval requirements, in place.
  2. Adequate processes are in place to effectively address operational risks associated with the upgrade or the development/acquisition and implementation of new systems and software. These processes should include sufficient testing and consideration of security requirements in all stages of system or product design, development and testing.
  3. IT project plans are documented. For major proposed changes to the IT infrastructure, a thorough prior risk and impact analysis is performed and documented and establishes whether it is within the firm’s risk appetite. The Board receives periodic updates on the progress including the risk status of major IT projects.

Cyber Security

  1. Cyber risk is managed within the context of overall IT risk management.
  2. Firms have a well-considered and documented strategy, reviewed and approved by the Board, in place to address cyber risk. Documented cybersecurity policies and procedures are maintained, monitored and enforced. Cybersecurity roles and responsibilities are clearly defined.
  3. Firms develop and implement security awareness training programmes to provide information on good IT security practices, common threat types and the firm’s policies and procedures regarding the appropriate use of applications, systems and networks.
  4. At a minimum, cyber risk management addresses:
    • the identification of threats, vulnerabilities and risks and quantification of exposure specific to the firm;
    • the prevention and detection of security events and incidents, including reducing likelihood of occurrence and potential impact when it does;
    • security incident handling; and
    • recovery planning for stabilisation and continuity of operations in the immediate aftermath of a security incident.
  5. Cyber risk assessments are performed on a regular basis and include identification of external and internal threats.
  6. Robust safeguards are in place to protect against cybersecurity events and incidents. Techniques and technologies that firms may consider include strong authentication, encryption, intrusion prevention and detection, advanced malware protection, strong access controls (including physical controls) and network segmentation.
  7. There are processes in place to classify data enabling the firm to identify sensitive, valuable and critical data that the firm stores, processes or transmits. Appropriate safeguards are implemented to ensure that it remains readily available to authorised users who need it.
  8. Firms implement strong controls over access to their IT systems, whether from inside or outside the firm. Users are granted only the level of access required to perform their responsibilities (“Principle of Least Privilege”).
  9. Adequate processes are in place to monitor information systems and assets and to detect security events and incidents in a timely manner, preferably using predictive indicators. This can be achieved by conducting penetration testing exercises undertaken by either the firm’s staff or trusted third parties.
  10. Firms have a documented cybersecurity incident response plan in place that provides a roadmap for the actions the firm will take during and after a security incident.
  11. The firm notifies the Central Bank when it becomes aware of a cybersecurity incident that could have a significant and adverse effect on the firm’s ability to provide adequate services to its customers, its reputation or financial condition.
  12. A documented recovery plan is in place to resume critical operations rapidly following a cybersecurity incident.
  13. Firms consider relevant good practices and internationally adopted frameworks for IT security risk management as may be appropriate for their firm.

IT Outsourcing

  1. A framework is in place with clear lines of responsibility for ongoing management, operational oversight, risk management and regular review of the firm’s OSPs.
  2. Thorough due diligence is conducted on prospective OSPs. Due diligence includes consideration of, inter-alia, the OSP’s technical capabilities, performance track record and financial strength and viability. The due diligence also considers whether the OSP can meet its requirements in relation to service quality and reliability, security and business continuity in both normal and stressed circumstances. Firms satisfy themselves that the selected OSP has sufficient and robust controls in place in relation to its cybersecurity. These controls should be at least as strong as the controls utilised by the firm itself.
  3. The contract between the firm and its selected OSP includes a documented SLA or equivalent. The SLA:
    • clearly sets out the nature, quality and scope of the service to be delivered as well as the roles and responsibilities of the contracting parties;
    • includes requirements for service levels, availability, and reliability, including measurable performance metrics and remedies for performance shortfalls. Using the key provisions of the SLA, firms regularly monitor the service delivery performance to determine if the OSP is delivering to the required standards. Where performance shortfalls are identified, these are addressed with the OSP in a timely manner; and
    • includes provisions relating to system and information/data security, business continuity and disaster recovery, service scalability, assurance and service termination, where appropriate. In particular, where new storage services are utilised, such as cloud, contracts with cloud providers specify the location(s) where the firm’s data is stored, processed and managed, and the security measures required when transmitting and storing data.
  4. Firms develop and maintain an exit management strategy to reduce the risks of business disruption should key IT outsourced services be unexpectedly withdrawn by the OSP, or voluntarily terminated by the firm. Viable options for resuming the impacted service(s) should be identified which are proportionate to the nature, scale and complexity of the firm; for example, in the case of smaller firms where transaction volumes are modest, a plan to revert to manual systems (with appropriate controls implemented) for a short period may be appropriate. In particular, where new storage services are utilised, such as cloud, contingency plans are in place that allow for the cloud service to be transitioned to a backup facility, an alternative service provider or managed within the institution itself if necessary.
  5. Firms apply the same level of controls and oversight to intra-group IT outsourcing arrangements as to arrangements with external OSPs.
  6. Firms monitor for the development of potential concentration risks and take appropriate action if they are, or are likely to become, reliant on a small number of OSPs to provide critical IT services. A high reliance on a single, or small number of providers, exposes the firm to a greater scale of potential business disruption risk.
  7. The outsourcing policy includes a provision that any outsourcing arrangements entered into by the firm should not impede effective on-site or off-site supervision of the firm by the Central Bank. This should also be reflected in any specific contracts entered into by the firm.

Testimonials

We have never encountered a downside to dealing with Brandon. Anytime we do have a problem it is quickly and easily resolved. We feel that there are excellent communication channels in place which underlines Brandon’s top position in the IT consulting market. The company appointed an operations manager, an invaluable asset, to oversee the implementation and transition from start to finish which ensured a smooth process.
— David McAllister, Chief Technology Officer, Equinoxe Alternative Investments
 
Equinoxe Alternative Investments
 

Latest News & Blog

IT Security Self-Assessment

Click the box below to access our interactive IT Security Self-Assessment. This short survey is based directly on the guidelines issued by the Central Bank and will give you a cyber security grade for your business.