CBI Expectations

Senior Management & Board Level

Operational Resilience is a multi-faceted topic and there are several steps to ensure compliance with regulatory standards. For banks, the CBI would expect to see operational resilience in place already. On the other hand, institutional investment firms are currently at a juncture where the deadline for the two-year adoption period is rapidly approaching. In the case of institutional investment firms, the culmination of the two-year adoption period is now, and it is crucial for them to address this matter urgently, as it is set to take centre stage in the scrutiny of the CBI.

The new legislation is adding additional layers, these include:

• CP140
• CP138
• DORA
• NIS2 (a lesser-known policy)

Operational resilience is a constantly moving target and so firms must be diligent and proactive in staying on top of upstream regulation that continue to add layers and requirements. Firms are challenged not only to meet current compliance standards but also to anticipate and prepare for the evolving regulatory expectations.

According to the CBI, the operational resilience framework is built upon three essential pillars:

• Identify and Prepare
• Respond and Adapt
• Recover and Learn

It is the duty of the Board to have an overall responsibility for operational resilience. Their various responsibilities include:

• Approve framework which much be aligned to the governance and risk framework.
• Set criteria for defining what is important and to review annually.
• Setting clear tolerances that suit the firm’s business model and market.
• Drive forward planning and avoid waiting for an incident to occur before actioning.
• Promote learning and training.

Cyber Security

Cyber and IT security now forms a significant part of developing a robust operational resilience framework given the digital age that we live in. Since Covid-19 Google witnessed a 350% increase of new phishing websites created which is a huge shift in behaviour along with the rise of Smishing which is targeting chat technology such as SMS/WhatsApp, given more people respond to chat instead of emails. Regulators are determined to clamp down on this effort and the main regulators such as CBI, FCA, SEC are joining forces in a co-ordinated effort to do so. The technology’s job in a company is to ultimately protect the data, data such as excel spreadsheets and personal information that is the main objective.

In cyber security there are three main causes of breaches these being:

• Human Error – Training is key here as 98% of breaches are due to human error.
• Processes – thinking about all areas of your business and security, such as how to check back ups on a regular basis, having a Business Continuity Plan (BCP) in place. All these such processes and plans create a mindset to allow you to know what to do should a disruption happen.
• Technology – this is a prevention mechanism but there is a limit to what you can spend in this area, where simple acts such as turning of the internet at night could be sufficient.

Remote Working

Remote working is a massive problem when looking at human error and technology as root causes of breaches. The incidence of employees departing under unfavourable circumstances is increasing, and in the context of remote work, understanding the route of dissatisfaction may pose challenging. Moreover, the dispersion of company files is a notable concern attributable to widespread utilisation of cloud-sharing platforms.

Vendor Management

Increased lack of vendor due diligence is another aspect to consider and forms a key area for the CBI with outsourced services. It is important to underline the significance of robust due diligence practices to mitigate potential risks associated with external service providers.

Advice for Clients

Critical to operational resilience is the appointment of a senior individual with direct board member accountability. Establishing a thorough change management oversight process and maintaining an updated asset registry for computer and IT equipment is advised. Implementing robust endpoint security measures for effective operational safeguarding. Furthermore, consider conducting an envelope test for the board, presenting them with a hypothetical scenario sealed in an envelope and assessing their response. This approach provides a valuable means of testing preparedness without disrupting day-to-day business activities. Emphasising the significance of continuous learning within the three-pillar model, particularly in the realm of recovery and learning.

For guidance on the talent market across risk and compliance and to discuss resource planning on a permanent or interim basis please contact Director & Co-Founder, Andrew Murphy, on +353858205640 or Andrew.murphy@coopman.ie