By Pádraig Hoare
There are “potentially catastrophic consequences for firms and their customers” if they do not get to grips with the threats surrounding weak IT systems, the Central Bank has warned.
Deputy governor Ed Sibley, who was speaking at the Financial Centres Summit in Dublin, said the watchdog’s onsite inspection teams of financial firms has found “there is a huge amount of work still to be done”.
Lenders have been plagued by failures in their IT systems since the financial crash of 2008.
Central Bank governor, Philip Lane, has acknowledged that many banks’ IT systems are substandard, saying they became less of a focus following the crash.
Most banks say they are now investing in modern IT systems, but there has been a range of incidents fromsystems’ failures to customers failing to receive or make on-time payments.
Mr Sibley said since 2015, the Central Bank has had a dedicated team of onsite inspectors, focused on analysing financial firms’ IT infrastructure, policies and governance.
“We have seen a lot of progress in the area of IT risk management and resilience, but there is a huge amount of work still to be done. Almost three-quarters of our findings from onsite inspections relate to four key areas — IT risk management, IT security, IT outsourcing, and IT continuity management.”
He said there were concerns “about the many findings in our work that relate to the failings of boards and senior management to understand and appreciate the significance of the IT and operational risks their firms face”.
“Senior management and boards of financial services firms need to own these critical risks and build resilience in their firms to be able to endure and survive operational or technology-related shocks,” he added.
He said “given the potential catastrophic consequences for firms and their customers”, it should not take the regulator to have to tell firms what they need to do to build resilience, and “the size and nature of the risk should itself be enough”.
While looking at the opportunities for the future, many firms also need to continue to invest to get the basics right. Significant improvements are required across the system to manage the incumbent and growing technology risks within it.
In 2014, Ulster Bank was fined €3.5m for IT-related failures that occurred in 2012, the biggest fine ever imposed by the Central Bank for such an offence.
There has also been a swathe of fines for banks that have seen anti-money laundering measures fail under their watch.
