Financial firms should view data as asset that needs protection – Central Bank

Ed Sibley says sector can expect regulator to focus on firms’ ‘resilience capabilities’

Ed Sibley: “Trust in the financial services system is an endangered commodity”.  Photograph: Nick Bradshaw

Ed Sibley: “Trust in the financial services system is an endangered commodity”. Photograph: Nick Bradshaw

 

Central Bank deputy governor Ed Sibley has told the boards of financial firms to get on top of information technology (IT) risks, as “too many” companies do not fully understand the threats and vulnerabilities to their systems.

“A change in mindset is needed to see data as a valuable asset and to invest in protecting that asset,” Mr Sibley said at a conference in Dublin on Wednesday. “Firms also need to be prepared for when things go wrong and to build resilience to be able to withstand, absorb, and recover from technology-related risks.”

Mr Sibley says that financial firms often are not aware of their IT assets and are not aware of all the extent to which third parties are used to handle their data.

“Almost three quarters of our findings from on-site inspections relate to four key areas: IT risk management, IT security, IT outsourcing, and IT continuity management,” the deputy governor said. “Firms can expect to see a continued focus by the Central Bank on these fundamentals and on firms’ resilience capabilities.”

Battle

While the future of financial services is expected to increasingly involve a battle for customer relationships and trustworthiness of their digital offerings, “trust in the financial services system is an endangered commodity” in Ireland, he said.

“Boards and senior management need to take responsibility for safeguarding the trust in and reputation of their organisation by prioritising the security, resilience and use of their data and systems,” he said.

Mr Sibley added that financial firm boards should not be relying on their regulator to inform them of the need to build up IT resilience, but that the size and nature of risks in their systems should be enough.