In September 2016 the Central Bank of Ireland (CBI) issued guidance in relation to IT and cybersecurity governance and risk management for regulated firms in Ireland. This guidance was based on supervisory work carried out by the CBI and contains some worrying insights from a Board of Directors viewpoint.
The CBI reiterated that it expects the Boards and Senior Management of regulated firms to fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management and place these among their top priorities.
Whilst the cybersecurity elements of this guidance have rightly received significant coverage due to the more public and newsworthy nature of issues such as hacking, ransomware, denial of service etc., the CBI’s findings concerning general IT service management, IT outsourcing, IT governance and IT risk make for alarming reading. In essence, the CBI has found that:
IT Outsourcing continues to rise but there is inadequate due diligence being carried out on prospective service providers and that service level agreements and contracts are not robust. Given the impact on the regulated firm and its customers of poor systems performance and/or systems failure, this is a significant omission. Furthermore, the CBI points out that service levels and performance are neither being well monitored nor reported to the Board. The guidance also refers to Cloud services and contracts in this context.
The quality of IT Service Management and Operations is a cause of concern to the CBI. The supervisory work identified issues in areas such as, inter-alia, Incident Management; IT Change Management; IT Project Management, Planning & Documentation and Disaster Recovery/Business Continuity Planning and highlighted the expectation that best practices such as ITIL are incorporated. As with outsourcing above, the CBI notes that deficiencies in board reporting exist in these areas.
The IT Applications that firms rely upon to provide or underpin service to customers also drew cautionary commentary from the CBI. In particular, the major risks concerning legacy systems were highlighted. Such risks include an increased likelihood of system failure, difficulty in maintaining outdated technology and sourcing appropriate skill sets to develop and support legacy systems. Furthermore, the guidance notes the difficulty in obtaining timely and accurate management information from legacy systems due to complexities caused by older designs and configurations. The CBI also points to weaknesses in testing of systems, patches, new technologies, upgrades and products, prior to deployment – with the obvious customer and regulatory implications.
IT Strategy in regulated firms is also reported by the CBI as being, in some cases, deficient and not aligned with business strategy.
The CBI guidance addresses all issues through the lens of IT Risk and Governance. Of deep concern to boards and management of regulated firms should be the finding that there is insufficient ongoing and active IT risk management. Specifically, the CBI finds that risk management is not proactive, risks are poorly monitored and not being mitigated effectively if at all, multiple risk tools are not co-ordinated and, surprisingly, IT risk registers are not up-to-date or do not exist at all. Similarly, there are findings of weak IT asset management and inadequate data governance. The CBI also observes that reviews of IT policies are insufficient and deficient and are treated as ‘box ticking’ exercises. Given the pace of technology change, this is a dangerous habit to form from a risk management viewpoint. Finally, the Central Bank states that it expects that a firm’s governance structure provides for independent assurance on the effectiveness of the IT risk management, internal controls and governance processes.
The Central Bank have stated that these findings and guidelines will form the basis for future supervisory work. So what does a regulated entity do? We recommend you find start by finding out where your firm currently stands on:
Service Delivery and Management
- if outsourcing and/or cloud computing forms part of your service delivery model then carry out vendor risk assessment to include: vendor viability, vendor technology and business strategy, vendor contract review, SLA and KPI review, vendor management/governance model. Make sure to also assess your own vendor management capabilities. The outputs of this assessment should form a coherent and targeted action plan;
- review your IT service management approach against an industry-standard framework such as ITIL. While it is not always necessary to adopt full ITIL processes, benchmarking against this framework will provide excellent insight into areas of high risk; and
- examine your methodology for project and programme management. Is it appropriate for the current environment?
- carry out an IT strategy assessment and make plans to align it with your business strategy;
- ask yourself if your IT infrastructure fit for purpose to support this? Do you have an infrastructure strategy?;
- examine your approach to IT applications. If you have an applications strategy then assess it particularly in terms of application lifecycle (pre-acquisition to retirement), legacy systems maintenance, criteria for development, acquisition, upgrade of applications and skills requirement. As part of this, determine if your QA/test approach is effectively aligned. If you don’t have an applications strategy and test strategy, consider creating and implementing these; and
- review your MIS and reporting capabilities.
Risk and Governance
- carry out an independent assessment of IT governance, IT risk management and IT policies;
- create a risk management framework if none exists;
- implement an IT asset management process if none exists;
- assess your data governance approach. As well as being a CBI guideline, GDPR regulations make this an imperative; and
- review board reporting. Is the board getting what it needs? Is it useful and readable?
The Central Bank have stated that these findings and guidelines will form the basis for future supervisory work. We advise that you carry out the above assessments and prioritise your actions based on the results.