Spotlight on Central Bank of Ireland Operational Resilience guidance

With organisations evermore reliant on outsourced service providers, as well as rising cases of cyber incidents and technology failures, operational resilience is an increasingly hot topic in financial services.

Regulators across the globe are now carefully considering the levers they can pull to tackle the sector’s challenges and the Central Bank of Ireland is the latest to issue guidance to firms on the steps they should be taking to address vulnerabilities and weaknesses and mitigate risks in the financial system.

The Central Bank’s guidance comes as the European Union prepares to strengthen its pan-European regulation of financial services through the Digital Operational Resilience Act (DORA) and the Directive on Security of Network and Information Systems (NIS2). According to the Central Bank, its guidance will complement these forthcoming regulations.

What are the key points of the guidance?

The new guidance sets out how regulated financial service providers should prepare and respond to operational disruptions, as well as how to recover and learn from them in the future.

It places responsibility firmly on boards and senior management to ensure that their operational resilience frameworks are well-designed and operating effectively. This includes developing ICT and cyber resilience strategies that include regular testing.

In addition, the guidance states that firms must understand their third-party dependencies and take steps to mitigate risk. For example, firms must ensure that binding written agreements are in place with third parties that detail how the critical or important services will be maintained during a disruption and establish an exit strategy for if or when a service cannot be maintained.

Commenting on the new guidance, Wayne Scott, Regulatory Compliance Solutions Lead, NCC Group Software Resilience, said:

“In light of the rising concentration risk within financial services, NCC Group welcomes this new guidance focused on building operational resilience.

It’s also great to see that there’s a real sense of urgency around the guidelines, with the Central Bank expecting regulated firms to be in a position to evidence their actions by 2023 at the latest.

With both DORA and NIS2 yet to be finalised, and unlikely to come into effect before 2023, organisations should not wait around to take action.

Prioritising resilience by design by ensuring it forms the basis of any relationship with third parties throughout the whole supply chain is key.

When it comes to managing third party risk, and putting in place the required legally binding agreements with suppliers, escrow agreements are the only proportional, tried and tested method on the market already in use throughout Ireland. Indeed, regulators globally – including in the UK and the US – recommend software escrow as a key practical solution.”