Financial Crime World

Central Bank Issues Guidance on IT Risk Management and Cybersecurity Risks

The [Central Bank] has released new guidance to assist financial institutions in effectively managing their IT risks and cybersecurity threats.

IT Risk Management and Cybersecurity Challenges

According to the guidance, many data dictionaries only focus on a specific application without providing a comprehensive view of all systems or key systems. Additionally, the maturity of IT incident management varies greatly between firms, with even those having good processes being reactive rather than proactive in managing risks.

Requirements for Effective IT Risk Management

The Central Bank expects financial institutions to develop, implement, maintain, and communicate an appropriate IT Risk Management (ITRM) framework that provides a comprehensive view of IT risks. This framework should include:

  • Clear lines of sight for links and dependencies between people, business processes, and IT systems and assets
  • Risk identification, assessment, and monitoring
  • Design and implementation of risk mitigation and recovery strategies

Key Requirements for Financial Institutions

To ensure effective IT risk management, financial institutions are required to:

  • Conduct regular IT risk assessments that consider internal and external sources of risk
  • Implement effective incident detection, notification, and escalation processes
  • Maintain a thorough inventory of IT assets classified by business criticality
  • Develop and maintain an up-to-date list of identified IT risks (IT risk register)
  • Notify the Central Bank in the event of an IT incident that could have a significant adverse effect on the firm’s ability to provide adequate services

Disaster Recovery and Business Continuity Planning

The guidance also covers IT disaster recovery and business continuity planning, emphasizing the importance of:

  • Periodic testing and prioritization of critical business operations
  • Conducting regular Business Impact Analysis with complete end-to-end reviews of business critical processes
  • Considering a range of plausible event and disaster scenarios, including cybersecurity events in DR and BC planning
  • Developing and maintaining comprehensive DR and BC plans that enable the firm to recover from and resume services in the event of a disaster or emergency situation

Resources for Effective Disaster Recovery and Business Continuity Planning

To address these issues, the Central Bank expects financial institutions to:

  • Provide sufficient resources for effective DR and BC planning, testing, and execution
  • Develop and maintain comprehensive DR and BC plans that enable the firm to recover from and resume services in the event of a disaster or emergency situation

Conclusion

The guidance aims to help financial institutions better manage their IT risks and cybersecurity threats, ensuring the stability and security of their operations and maintaining public trust. By implementing these requirements, financial institutions can reduce the likelihood of IT incidents and ensure business continuity in the face of adversity.