In their cyber advisory letter, the CBoI has identified seven main control areas, only one of which is directly called “Cybersecurity.”
The other control areas are as follows:
- Oversight of Board of Directors and senior management of IT and cybersecurity risks
- IT Specific Governance
- IT Risk Management Framework
- IT Disaster Recovery and Business Continuity Planning
- IT Change Management
- Outsourcing of IT systems and services
It is clear that with such a wide scope of controls outlined by the CBoI, financial institutions and regulated entities in Ireland now need to ensure that they implement a holistic approach to Cyber Risks, so that all risk areas, including financial risks, operational risks and IT risks, are not being managed in separation from each other.
Apart from a standard set of controls which is not much different to these proposed by international frameworks, the “Cybersecurity” area includes specific CBoI controls which aim to ensure that cyber incident reporting to the Central Bank is defined in each affected institution.
The challenge for many institutions affected by this framework lies in accurately measuring their current Cyber-readiness level; not only in the context of CBoI recommendations, but also in comparison to other financial market players. Understanding your current cyber maturity level is a starting point for implementing any control enhancements being implemented to achieve compliance with the CBoI recommendations.