“Get to grips with IT risk” say Irish, German central banks

Too many incidents are caused by a lax approach to technology, the Central Bank of Ireland and Bundesbank agree

Senior officials from both Central Bank of Ireland and the Deutsche Bundesbank have warned bank management teams that they must work harder to ensure they have the right culture in place to tackle IT risks.


Gerry Cross, Irish Central Bank

“We believe that there is significant weakness in this area and will be seeking change,” said Gerry Cross, the Irish central bank’s director in charge of policy and risk, speaking at the annual general meeting of the Association of Compliance Officers in Ireland recently.

“A substantial number of technology incidents are caused or facilitated by inadequate performance by regulated firms,” said Cross.

He blamed: “A failure to see technology risk with the importance it has; a lax approach which sees technology risk as being for the IT folks to handle; a lack of senior management and board engagement; underinvestment; herding behaviour; poor security practices; ineffective procedures; outsourcing control failures; etc.”

Cross highlighted the importance of an improved risk culture at financial firms, placing ownership of technology risk and cyber-security at board and senior management level. “Final responsibility cannot be delegated or outsourced.”

The Central Bank of Ireland has started the process to bring about change in technology risk culture, Cross said.  Questionnaires have been sent to banks asking about their cyber-security preparedness and resilience and the central bank’s banking IT risk risk team is performing inspections to check that firms have the right countermeasures in place.

“Technology is at the heart of modern financial services. When it goes wrong it can pose threats to all of the things the Central Bank cares about,” Cross said. The Irish central bank has said it will soon publish an initial paper setting out its current thinking and its overall expectations of regulated firms’ risk management early in 2016.

Tough lessons

Meanwhile, a senior Bundesbank board member has revealed that the German central bank has learned some tough lessons from cyber-attacks on its own systems.

“The financial sector is not only a major target but is also vulnerable to almost every conceivable type of cyber risk,” said Dr Andreas Dombret in  speech last month. “Pity for the financial sector, but good for the other industries because this makes it a repository of best practices which are also applicable to other parts of the economy.”

As a potential target, said Dombret, the Bundesbank has been able to develop some expertise on cyber defence. One lesson, he said, was that the Bundesbank has identified a trade-off between the need to use mobile devices and the need to use data sparingly. The Bundesbank now asks its staff to use mobile data only when necessary.

Noting that banks are starting to use big data to discover unusual patterns that point to a cyber attack, Dombret cautioned that: “Form a governance point of view, setting the right priorities can make a huge difference. We have seen cases in which banks expend a lot of resources on deterring sophisticated assaults while omitting the most basic of measures.”

“Humans are often the weakest link in IT processes. Targeting ‘digital carelessness’ among customers and staff is usually a good way to achieve fast results in mitigating risk.”

And, like the Bank of Ireland, the Bundesbank is concerned that bank management breakdown the ‘accountability firewall’ that stops senior managers from taking on responsibility for cyber risk. “We therefore demand that banks clarify what is at stake and how the risks are supposed to be governed. This is called a cyber strategy, and every bank is required to have a convincing one, “ said Dombret. 


Tweet about this on TwitterEmail this to someoneShare on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>