The Central Bank of Ireland (CBI) warned earlier this week in an industry letter that asset management firms must bolster their cybersecurity systems, with many making little progress in recent years. Publishing the findings of a thematic inspection on cybersecurity, which included onsite visits to four firms in recent months, the CBI said more needs to be done and senior management must make cybersecurity a top priority.
‘While the Inspection identified that some firms have made good progress in strengthening their resilience to a cyber-attack in certain areas, we are of the view that cybersecurity is a practice that remains underdeveloped in the asset management industry,’ remarked Michael Hodson, Director of Asset Management and Investment Banking Supervision, in the letter.
Many of the weaknesses highlighted in the CBI’s 2016 Cross Industry Guidance on IT and Cybersecurity Risks remain in place three years later, the regulator said, and boards and senior management are still not prioritising the need to have a strong culture of cybersecurity throughout their organisation.
In addition, the CBI found shortfalls in IT asset inventories, and cybersecurity incident response and recovery plans also fell short of the CBI’s expectations, with many being in draft form, incomplete or not tested with appropriate frequency. When it comes to reporting, meanwhile, although firms do detail cybersecurity risks, the quality and frequency of reporting was variable and relied too heavily on qualitative indicators.
‘Firms must focus on increasing the maturity of their cybersecurity model by driving a process of continuous improvement,’ Hodson added. ‘The Central Bank will be following up with individual firms to ensure that they are taking steps to enhance their cybersecurity resilience. We expect all asset management firms to fully consider these findings and evaluate their own cybersecurity risk management practices.’
Implementing a cybersecurity framework that can keep pace with evolving threats can be time-consuming and costly, and there’s not necessarily one size that fits all. But the regulator insisted that senior management ‘ensure that there is a well-defined and comprehensive IT management framework in place that provides effective oversight of IT-related risks and gives assurance to the Board regarding the management of these risks within the firm.’
AQMetrics has found that implementing an information security framework, such as ISO 27001, contributes significantly to creating a culture of cyber risk awareness in the firm. With regulators making cybersecurity a major focus and promising to follow up with firms in the coming months, asset managers can ill-afford to remain complacent.
The Letter must be brought to the attention of all board members and senior management before 30 April 2020.