Home Knowledge Central Bank’s Thematic Review of Irish Insurers Highlights Importance of Cyber Security

Central Bank's Thematic Review of Irish Insurers Highlights Importance of Cyber Security

November 13, 2023
Central Bank's Thematic Review of Irish Insurers Highlights Importance of Cyber Security
Partner
Eoin Caulfield
Partner
John O’Connor
Senior Associate
Catherine Carrigy

The Central Bank of Ireland (Central Bank) has recently issued a cyber security thematic review information request (Thematic Review) to several Irish life and non-life insurers under its supervision.

The Thematic Review aims to assess a range of cyber security controls, based on responses to a cyber security questionnaire. The Central Bank will continue conducting these Thematic Reviews into 2024 and intends to expand the original scope to include additional insurers across the sector.

The Thematic Review highlights the importance placed on cyber security, both at a domestic and European supervision level. From a European perspective, the EIOPA Guidelines on Information and Communication Technology Security and Governance have been effective since 1 July 2021, to provide clarification on supervisory expectations concerning cyber security, ICT security and governance capabilities. Building on the existing European framework, the Digital Operational Resilience Act (DORA) will take full effect on 17 January 2025. DORA aims to improve operational resilience across EU financial services firms, including (re)insurers, enabling them to withstand ICT-related disruptions and threats, having regard to the increased risk of cyber-attacks.

At a domestic level, the Central Bank’s Cross Industry Guidance on Operational Resilience (Operational Resilience Guidance) takes effect from 1 December 2023 to ensure regulated firms adopt appropriate measures to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services. The Central Bank expects insurers to have in place ICT and cyber resilience strategies which address operational resilience vulnerabilities within their organisations and to be able to demonstrate their actions/plans to apply the Operational Resilience Guidance by 1 December 2023. Given the two-year lead-in period to apply the Operational Resilience Guidance, it seems inevitable that the Central Bank will seek to assess its application by insurers into 2024 and beyond.

As part of its supervisory focus on Operational Resilience, the Central Bank has been increasingly vocal about the emphasis it is placing on cyber security. At the outset of 2023, cyber and IT risks, together with operational risk more broadly, were identified as key priorities for the Central Bank from an insurance supervision perspective. The Central Bank’s Annual Report published in May 2023 again emphasized its supervisory focus on “assessing and managing risks to the financial and operational resilience of firms, including resilience in the event of a cyber-related incident.” In a noteworthy speech in April this year, Mr Domhnall Cullinan, the Central Bank’s Director of Insurance Supervision highlighted the similarities (and differences) between some key DORA requirements and existing Central Bank guidance, including its 2016 Cross-Industry Guidance paper on IT and Cybersecurity Risks. Going back to 2016, the Central Bank was even then clear in its expectation that Boards and senior management of regulated firms “fully recognise their responsibilities in relation to IT and cybersecurity governance and risk management.”

The latest Thematic Review demonstrates that the Central Bank’s focus on cyber security and related risks is likely to continue unabated in the months ahead. While some of the measures introduced by DORA and the Operational Resilience Guidance, for example, will be reasonably familiar to the Irish insurance sector, many of the obligations require careful thought and planning at Board and senior management level to ensure they are effectively embedded into the risk management and operational resilience frameworks of their respective organisations. The management of cyber security risk will form a critical component of this.

Under the ‘Safeguarding’ theme of the Central Bank’s Strategy 2022-2026, the Central Bank has committed to strengthening its ability to maintain the resilience of the Irish financial system and ensuring regulated firms’ cyber resilience is seen as critical to the Central Bank achieving this objective. Undoubtedly, Irish insurers can expect to see a continued sharp focus on cyber security from the Central Bank particularly as the insurance sector’s dependence on technology grows and the associated cyber threats evolve and increase in tandem.

If you would like to discuss any of the issues raised in this article, please contact Claire O’Connor, Catherine Carrigy, John O’Connor or your usual William Fry contact.

 

Contributed by Claire O’Connor

 

Recommended Insights

See all
Article and Insights
26
Apr 2024
Asset Management & Investment Funds Update – April 2024
Welcome to the April 2024 edition of our Asset Management & Investment Funds Update.
WF_author_blank
Consultant
Patricia Taylor
Article and Insights
22
Apr 2024
A New Leaf? Change in Laws Approved for Sustainable Construction Products
What do you need to know?
WF_author_blank
Consultant
Cassandra Byrne
Article and Insights
18
Apr 2024
SEAR Regulations signed and other Individual Accountability Framework Developments
We look at updates on the IAF including the SEAR Regulations recently signed by th...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
18
Apr 2024
EIOPA Publishes Supervisory Statement on Reinsurance from Third-Country Reinsurers
EIOPA finalises its supervisory statement on reinsurance concluded with third-coun...
WF_author_blank
Partner
Eoin Caulfield
Article and Insights
16
Apr 2024
Central Bank 2024 Regulatory & Supervisory Outlook Report – Financial Crime Spotlight
Financial crime – an area of particular focus for the Central Bank in the 2024
WF_author_blank
Consultant
Hilary Rogers
Article and Insights
9
Apr 2024
Central Bank Updates Approach to Authorising Payment Institutions / E-Money Institutions
We look at updates to the Central Bank's approach to authorising Payment and E-Mon...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
5
Apr 2024
Insurance Newsletter Q1 2024 – Central Bank of Ireland Highlights Two Key Issues
The Central Bank of Ireland published its Insurance Industry newsletter for Q1 202...
WF_author_blank
Partner
Ian Murray
Article and Insights
26
Mar 2024
Proposed New FIDIC Contract for Offshore Wind Projects
FIDIC are developing a new standard form contract for offshore wind projects. What...
WF_author_blank
Consultant
Cassandra Byrne
Article and Insights
25
Mar 2024
Asset Management & Investment Funds Update – March 2024
Welcome to the March 2024 edition of our Asset Management & Investment Funds Update.
WF_author_blank
Consultant
Patricia Taylor
Article and Insights
14
Mar 2024
CBI Publishes Consultation Paper on Consumer Protection Code Revision
We look at CP158 - The Central Bank Consultation Paper on its proposals to revise ...
WF_author_blank
Partner
Shane Kelleher
prev
next
See all