Excerpts from speech by Ed Sibley, Deputy Governor (Prudential Regulation) of the Central Bank of Ireland, at the Financial Centre Summit, organized by Finance Dublin, Dublin, 3 October 2018
Technology developments over the last decade have, among many other things: exponentially increased the proliferation of data and the speed with which it can now be analyzed and processed; customer expectations of functionality; and increased outsourcing of technology services, including cloud storage. And if the current pace of change is anything
to go by, the future is a vast unknown where only those able to adapt at pace will be able to survive.
Too many firms do not fully understand all the systems and processes that support their business services and they are not aware of all the third-party relationships that support their value chain. And we have found that in many firms the board does not fully understand the IT risk profile of their firm and is not asking the questions that need to be asked in relation to their risk appetite or how the IT strategy is aligned with the business strategy of the firm.
Data as an asset
A firm’s data is, in many cases, its biggest asset. So it is vital that firms are taking a data-centric view of their business and systems to identify what data they have or need to support their core business services, and how it is classified, used and protected.
In this fourth industrial revolution, firms that can harness data effectively can expect competitive advantages. The use of artificial intelligence and machine learning can be very powerful foranalyzingg big data to better understand how to meet customers’ needs in a sustainable manner over the long term.
But this can only happen if the data is reliable and available. From our on-site inspection work over the last number of years, we have identified many weaknesses in firms’ abilities to effectively understand, use and report on their data. Issues arise from a patchwork of legacy and newer systems that do not talk to each other, resulting in fragmented data that requires manual interventions and adjustments before it can be used. Firms need to have a single source of their key data if they are to rely on it for critical intelligence and decision-making. Those that manage this transition best are likely to be the firms that survive and thrive.
Outsourcing and third-party risk management
With all outsourcing arrangements, boards and senior management must understand that they are placing the resilience of their firm into the hands of a third-party and while they may be able to monitor the service during normal operation, when something goes wrong, they are reliant on someone else to fix it. Some firms might seek to take comfort from the fact that they outsource to a parent or sister group company rather than a third party, but, as has been seen with a number of high-profile events, firms cannot always rely on the parent to provide uninterrupted service. Boards and senior management need to understand where their firm’s systems and data sit on the group priority list should something go wrong.
Cybersecurity risk
I expect boards to: understand how disruptions of key business services could impact their customers and their value chain; ensure operational and cyber resilience strategies are fit for purpose; and oversee risk tolerances and appetite metrics to track, measure and trigger a response to disruptive events. They need to ensure that their firms have the resilience to withstand future shocks, absorb the impacts of the shock and communicate effectively to stakeholders throughout, and to ultimately recover from the incident and use the learnings to further improve their future resilience.