Cyber readiness for financial institutions

Since the Central Bank of Ireland (CBoI) issued their recommendation letter in September 2016 outlining cyber security controls which each of the regulated financial institutions are expected to introduce, an increased focus on cyber controls can be observed in banks, credit unions and financial brokers.

The CBoI framework is loosely based on well-established information security standards like NIST or ISO, but adds a broader scope; Cyber Risk Management approaches are now bound with overall IT Risk Management, which in turn is part of Operational Risk Management. The framework also promotes strong alignment of a cyber risk approach with company business objectives to ensure implemented security controls are fit for purpose.

Control areas

In their cyber advisory letter, the CBoI has identified seven main control areas, only one of which is directly called “Cybersecurity.”

The other control areas are as follows:

  • Oversight of Board of Directors and senior management of IT and cybersecurity risks
  • IT Specific Governance
  • IT Risk Management Framework
  • IT Disaster Recovery and Business Continuity Planning
  • IT Change Management
  • Outsourcing of IT systems and services

It is clear that with such a wide scope of controls outlined by the CBoI, financial institutions and regulated entities in Ireland now need to ensure that they implement a holistic approach to Cyber Risks, so that all risk areas, including financial risks, operational risks and IT risks, are not being managed in separation from each other.

Apart from a standard set of controls which is not much different to these proposed by international frameworks, the “Cybersecurity” area includes specific CBoI controls which aim to ensure that cyber incident reporting to the Central Bank is defined in each affected institution.

The challenge for many institutions affected by this framework lies in accurately measuring their current Cyber-readiness level; not only in the context of CBoI recommendations, but also in comparison to other financial market players. Understanding your current cyber maturity level is a starting point for implementing any control enhancements being implemented to achieve compliance with the CBoI recommendations. 

Analysing cyber readiness

Analysing cyber readiness levels can be difficult for individual financial institutions, due to a variety of factors.

In particular it is hard for them obtain reliable information about the cyber posture of similar peer institutions. The financial market is a competitive one and banks, credit unions and brokers are well aware that revealing information about their internal safeguards – including cybersecurity – may potentially lead to loss of competitive advantage in case such information is used against them.

That’s why – rather than approaching the cyber maturity assessment problem themselves, many financial institutions rely on specialised trusted third party service providers, which not only have broad expertise in cyber security in highly regulated environments, but have also been working with many players in their market and have a good understanding on how an individual institution compares to peer institutions in the context of cybersecurity controls.

We've adopted the NIST and ISO Cybersecurity frameworks – both of which are used by the CBoI as reference frameworks – for measuring cyber readiness for financial companies operating in a number of different countries. We assist companies in understanding their current cyber maturity level and help identify control gaps by running top-down and bottom–up analysis. Based on the results of such analysis we are able to assess a company's compliance level with CBoI cyber recommendations as well as indicate a benchmark cybersecurity maturity level in comparison to similar financial institutions.

Read more about cybersecurity assessments >

Disclaimer

BSI is an accredited Certification Body for Management System Certification and Product certification. No BSI Group company may provide management system consultancy or product consultancy that could be in breach of accreditation requirements.

Clients who have received any form of management system consultancy or product consultancy from any BSI Group company are unable to have BSI certification services within a 2 year period following completion of consultancy.