The Irish Central Bank has issued guidelines to govern IT risk management and cyber-security at financial service firms.

The regulator says that it worries about these risks out of its concern for firms, for their customers and for financial stability.

Its statement on the matter says: "Information technology is now at the heart of the supply of financial services. The incidence of cyber-attack and business interruption is on the increase and firms should assume they will be successfully targeted. The security and resilience of IT systems, their governance and management must improve to reflect this reality. The Central Bank expects boards and senior management of regulated firms to fully recognise their responsibilities for these issues and to put them among their top priorities.

The regulator wants all firms to concern themselves with the alignment of IT and business strategy, the outsourcing of risk, change management, cyber-security, incident response, disaster recovery and business continuity.

IT-related work is underway in every one of the Central Bank’s various supervisory divisions. Mmoreover, the regulator's risk specialist supervisors have already carried out a number of inspections which have exposed areas where IT and cyber-security governance and risk management has fallen short of the standards that the Central Bank expects. On their visits the regulators found the following.

• The alignment between firms’ IT strategies and overarching business strategies is weak. "IT capabilities" are "not matched to business ambitions."
• Firms are not taking a holistic view of 'IT risks' (a term that the regulator does not explain in any way, except to say that 'cyber-security risks' are among them) throughout their businesses. As a result, they are identifying, monitoring and mitigating their IT risks.
• There are shortcomings in 'IT risk' assessment and identification with many firms not maintaining comprehensive IT risk registers and risk identification being backward rather than forward looking.
• There are too many instances of older technology supporting the main business operations and requiring significant resources and/or investment to manage associated risks.
• Firms often lack data classification policies and many more lack adequate ones.
• Staff are not well-trained enough to cope with risks to cyber-security.
• There are too many instances of ineffective firewall management/inadequate intrusion detection processes, with weak IT security monitoring.
• There are deficiencies in the way in which firms outsource their IT-related operations. They fail to scrutinise prospective service providers, their outsourcing agreements are badly drafted and they do not monitor the performance of services properly.
• Disaster recovery and business continuity plans are often inadequate and untested.