'Prepare for cyber attacks', Central Bank warns firms
Customers of Irish banks, insurers and financial intermediaries are at risk from cyber attack, the Central Bank has warned.
Firms are being warned to increase resilience to IT failures and cyber security incidents.
New guidelines introduced yesterday apply to all businesses regulated by the Central Bank, regardless of size.
Old systems, under-investment and the use of outsourcing will all be scrutinised. "There are a lot of weaknesses and a lot of failings out there," according to Gerry Cross, director of Policy & Risk at the Central Bank of Ireland.
Businesses need to be prepared for situations, including the high likelihood of cyber attacks, it said.
"It's not a question of 'if' but 'when' firms will be hit, but we are just not seeing that reality in how firms are prepared," Mr Cross warned.
He said the new rules are the first time a single set of guidelines has applied across all regulated firms and that the rules are being introduced to raise standards.
"There is no sector already meeting this standard. They (the guidelines) are demanding," he said. The new guidelines are not binding in their own right but will form part of the overall supervision of regulated firms, Mr Cross said.
The new rules cover four main areas: governance by boards and senior management, risk management, cyber security and outsourcing.
In terms of governance, the Central Bank said it expects senior executives to be engaged with the issue.
"The thinking to a certain degree is 'we have an IT department and they are doing this'. So we are very keen to see real ownership by boards and senior managers."
The Regulator is not taking a position against outsourcing, but has concerns about the practice. "What we want to see is that firms are not outsourcing responsibility or thinking they can outsource responsibility. Control of the situation must remain with regulated firms."
A particular issue in Ireland is underinvestment in the wake of the crash.
In many cases Irish firms are operating IT systems that feature out dated technology assets in some cases no longer supported by the manufacturers.
"It is fair to say there is a post-crash hangover aspect," Gerry Cross said.