Global Trustee and Fiduciary Services News and Views

Markets and Securities Services |

Ireland

Guidance in Respect of Information Technology

and Cybersecurity Risks

, published in September

2016. The guidance addresses the role of the board

and senior management in the oversight of IT and

cybersecurity risks, but also addresses IT-specific

governance and risk management, including risk

management frameworks, disaster recovery,

business continuity planning, change management

and outsourcing of IT systems and services.

Expressly recognising the rapid developments

in this area, the Central Bank’s guidance notes

that it does not address all aspects of the

management of IT and cybersecurity risk, but

rather focuses on those areas that the Central

Bank deems most pertinent at that time based

on the supervisory work carried out to date.

However, firms would be wise to have due regard

to the importance afforded to cybersecurity

as a strategic priority by the Central Bank, as

inevitably increased regulatory focus brings with

it an increased risk of regulatory sanctions for

breach where systems and processes are deemed

to fall short of required standards.

Investment fund costs

The issue of investment fund costs has moved

up the regulatory agenda in recent times, with

the European Securities and Markets Authority

(ESMA) commencing supervisory work on

potential “closet index tracking”. National

regulators in the UK, Denmark, Norway and

Sweden are also looking at issues related to the

disclosure of investment fund fees, while investor

protection group Better Finance has announced

that it will carry out its own closet-tracking probe

after ESMA refused to name and shame the

funds it suspected as potentially being mis-sold.

This trend was reflected in Ireland with the 2016

programme of thematic inspections confirming

that the Central Bank would conduct an analysis

of the production costs of investment funds.

As part of its analysis, the Central Bank stated that

it would focus on the effectiveness of disclosures

regarding costs and fees. While the rules regarding

prospectus and UCITS KIID disclosures provide

a clear framework, in the Central Bank’s view,

it is not clear that the application of the rules

permits investors to make an informed decision

and to differentiate between funds. The Central

Bank undertook to conduct a statistical analysis

relating total expense ratios with the various

characteristics of Irish-domiciled funds. Outliers

would be identified to determine whether further

follow-up supervisory work may be warranted.

shared with the Central Bank, it could assist the

approval process by allowing the Central Bank

to focus on those areas where its processes

diverge from those of the FCA, while leveraging

the overlap between the regulatory regimes. It

will be important for the Irish industry to explore

other ways in which the Central Bank may be

in a position to fast-track certain aspects of the

authorisation procedure while continuing to meet

its mandate to ensure prudential soundness,

ensure financial stability and protect consumers

and work is ongoing on this process.

Regulating cyber risk

One area addressed in the programme of

thematic inspections for 2016 that clearly

illustrates the challenge of regulating in an ever-

changing environment relates to information

technology risk or cybersecurity.

Cybersecurity risks and threats have been present

since the dawn of the information technology age.

However, in recent years, reported cyberattacks

and cybersecurity breaches are becoming more

significant and more sophisticated in terms

of their impact, attracting mainstream media

headlines with allegations of state-sponsored

hacking programmes against other sovereign

states and financial institutions. Unsurprisingly

in this context there has been increased

attention at international level on the issue,

with the International Organisation of Securities

Commissions (IOSCO) and the Committee on

Payments and Market Infrastructures issuing

guidance on cyber resilience for financial market

infrastructures in June 2016.

This trend has

played out at a domestic level, with the Central

Bank increasing its focus on this area every year

and two separate rounds of guidance issued to

industry participants.

In February 2015, the Central Bank identified

cybersecurity and operational risk, together

with the inspection of controls and procedures

around system security and access, as an

area of focus in its programme of themed

inspections.

Throughout the course of 2015,

it also conducted a number of reviews of the

cybersecurity policies and procedures of a

variety of financial institutions. This led to the

publication of a letter to industry stakeholders

in September 2015, setting out examples of best

practice arising from its thematic review.

In 2016, IT risk, focusing on the resilience of firms’

IT systems, was included in the programme. This

process led, in turn, to formal

Cross-Industry