Central Bank of Ireland publishes findings from its thematic inspection of cyber security risk management in asset management firms
In an industry letter dated 10 March 2020 the Central Bank of Ireland (the "Central Bank") detailed its key findings identified during its inspection of cyber security risk management in asset management firms. The thematic inspection examined (i) cybersecurity risk governance, (ii) cybersecurity risk management frameworks and (iii) certain technical controls for mitigating cybersecurity risk. The Central Bank notes that many of the weaknesses highlighted in the Central Bank's 'Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks 2016' are still prevalent three years later.
The Central Bank's letter states that it is the responsibility of the board of the asset management firm and its senior management to ensure that cybersecurity is embedded in their firm and the board is responsible for overseeing a clearly defined strategy for cybersecurity to enable the firm to achieve a desired state of resilience and protection. In addition the Central Bank noted that there should be a sufficient skill set on the board to challenge and oversee the strategy and that the board and senior management should prioritise the development of a strong organisational culture of cybersecurity. The Central Bank sees this as key in supporting effective identification, monitoring, reporting and mitigation of cyber risks.
The key findings detailed in the Central Bank's letter focus on six distinct areas:
1. Cybersecurity Risk Governance
The Central Bank highlights that it is the responsibility of the board of the asset management firm and its senior management to determine, oversee and implement a clear strategy for cybersecurity to enable the firm to achieve a desired state of resilience and protection.
Deficiencies were identified by the Central Bank in the governance of cybersecurity policies including a lack of tailoring of group policies to the firm's business operations and a failure to review policies in accordance with the frequency mandated in firms' own policy management criteria as well as deficiencies in firms' oversight of group or third party cybersecurity service providers.
The Central Bank expects firms to have a comprehensive, documented and board approved IT and cybersecurity strategy in place along with a well defined and comprehensive IT and cybersecurity risk management framework in place that provides effective oversight of IT related risks and gives assurance to the board regarding the management of these risks within the firm.
2. Cybersecurity Risk Management
The Central Bank found that firms were making limited, and in some cases no use of defined quantitative metrics in management information for monitoring, reporting on and measuring cybersecurity risk exposures against the approved risk appetite statement and that boards, in general, are not receiving sufficient reporting on cybersecurity and other technology risks which is resulting in a lack of independent challenge on cybersecurity risk.
The Central Bank expects firms to implement, maintain and communicate an appropriate cybersecurity risk management framework that includes risk identification, assessment and monitoring, the design and implementation of risk mitigation and recovery strategies, and testing for effectiveness.
In addition the Central Bank expects cybersecurity risk assessments to be conducted at regular intervals, at least annually, and should be comprehensive, considering internal and external sources of risk.
3. IT Asset Inventories
The Central Bank noted that firms were unable to demonstrate that there was a single, complete IT asset inventory solution in place and is of the opinion that IT assets are not being managed, from a security perspective, in accordance with their business criticality and that firms are not fully aware of all the hardware, software, and data assets on their networks and therefore cannot assess the associated risks in a holistic manner.
The Central Bank expects firms to establish and maintain a thorough inventory of IT assets, classified by business criticality with a process to be put in place to regularly assess the business criticality of IT assets and assess the associated risks in a holistic manner.
4. Vulnerability Management
The Central Bank identified the following deficiencies in firms' vulnerability management processes:
- inadequate vulnerability management planning and mitigation activities;
- incomplete or unknown coverage of vulnerability scans; and
- in some cases, failure to use vulnerability scanning tools to identify devices that deviate from the security baseline.
The Central Bank expects exposure to vulnerabilities should be assessed on a continuous basis, on the entirety of the IT estate, and include identification of external and internal vulnerabilities.
5. Security Event Monitoring
The Central Bank found that firms were unable to demonstrate that security events from all pertinent systems and devices are collected by and analysed in a security information and event management system and firms did not evidence sufficient oversight for outsourced security operations centre services.
The Central Bank expects cybersecurity management activities should address the timely detection of security events and incidents, ensure comprehensive monitoring of all assets containing or processing critical data, and assess the potential impact to the business.
Additionally, the Central Bank expects regular reviews to take place to assess the effectiveness of detection processes and procedures.
6. Security Incident Management
The Central Bank notes that deficiencies were found with cybersecurity incident response and recovery plans including plans being in draft form, incomplete or not forming part of the formal incident management framework. In addition, the Central Bank found that in some cases such plans were not tested.
The Central Bank expects firms to have documented cybersecurity incident response and recovery plans in place that provide a roadmap for the actions the firm will take during and after a security incident which address roles and responsibilities of staff, incident detection and assessment, reporting and escalation, as well as response and recovery strategies to be deployed.
The Central Bank expects asset management firms to fully consider these findings and evaluate their own cybersecurity risk management practices to establish if any improvements are required. This letter is required to be brought to the attention of all board members and senior management before 30 April 2020.
The Central Bank has advised that a review of cybersecurity risk management and the issues raised in this letter may form part of any future risk assessments, including inspections, carried out by the Central Bank and that supervisors will have regard to the consideration given by a firm to the matters raised in this letter.
Firms should review their cyber security frameworks in light of the Central Bank's findings and consider whether any amendments may be required.