- cybersecurity risk management at Asset Management firms.
- The Inspection identified that some firms have made good progress in strengthening their cybersecurity risk.
- Inspection found that many weaknesses highlighted in the Central Bank’s 2016 Cross Industry Guidance on IT and cybersecurity risks are still prevalent three years later.
The Central Bank has today published the findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms. The purpose of the Inspection was to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms and to identify good practices.
The on-site inspections included a point-in-time maturity assessment of key cybersecurity risk management practices in place across the selected firms.
The key findings of the inspection are:
- While some firms have made good progress in certain areas, many of the weaknesses highlighted in the Central Bank’s 2016 Cross Industry Guidance on IT and cybersecurity risks are still prevalent three years later. Consequently, concerns still exist for the Central Bank regarding the arrangements that are in place to adequately oversee all cybersecurity risks.
- Boards and senior management are not prioritising to a sufficient extent the need to have a strong culture of cybersecurity embedded throughout the organisation.
- Deficiencies in IT asset inventories were identified, where the inventories did not capture the complete IT estate and / or classify assets by their business criticality.
- Cybersecurity incident response and recovery plans did not meet the Central Bank’s expectations, with many being in draft form, incomplete or not tested with an appropriate frequency.
- While all firms reported on cybersecurity risks, the quality and frequency of the reporting was variable. In general, risk indicators used were overly focused on qualitative indicators with insufficient utilisation of quantitative indicators.
Michael Hodson, Director of Asset Management and Investment Banking Supervision said:
“While the Inspection identified that some firms have made good progress in strengthening their resilience to a cyber-attack in certain areas, we are of the view that cybersecurity is a practice that remains underdeveloped in the Asset Management industry. Firms must give more consideration and support to identifying and managing the different threats they are exposed to, whilst recognising that the inherent risks of IT are continuously increasing.
“Firms must focus on increasing the maturity of their cybersecurity model by driving a process of continuous improvement.
“The Central Bank will be following up with individual firms to ensure that they are taking steps to enhance their cybersecurity resilience and to minimise the risk to themselves and to the wider industry from a cyber-attack. We expect all Asset Management firms to fully consider these findings and evaluate their own cybersecurity risk management practices to establish if any improvements are required.”