[Reading time: 52 seconds]

I frequently deliver cyber security briefings to the Boards of regulated financial services companies.

And the most frequent question I get asked by board members is:

“What are seeing out there?”

When I first heard this question, I thought they wanted to know about:

  • The types of attacks being launched, and
  • How the attackers get in.

And that is true, up to a point.

 

But I now realise that what board members really want to know is:

  • What are others in the industry doing?
  • Where are they struggling?

So, rather than expect you to pay for my advice so I can pay my mortgage and fund my Haribo jelly addiction, I’ll tell you for free:

 

What are others in the industry doing?

Regulated financial services companies in Ireland are:

  • Currently focused on the Central Bank of Ireland’s guidance on Operational Resilience. It is coming into effect from December and every risk-averse firm that I speak to is making sure they are aligned to the guidance.
  • They are also very aware that the EU’s DORA regulation applies from January 2025, but that’s not a focus area until next year.

(As an aside, the Individual Accountability Framework (IAF) and Senior Executive Accountability Regime (SEAR) are really helping to keep everyone focused on their compliance obligations.)

 

Where are they struggling?

The struggles are different for large firms vs small firms.

  • Large firms are struggling to get the required buy-in and support from their global / centralised teams. For example, I see it regularly with global cyber security teams, who can’t get their heads around the level of detail that their Irish units are seeking. “Don’t worry about; we have it under control” does not seem to address the needs of Irish regulated entities, and this is a revelation to teams based in other jurisdictions.
  • Smaller firms are struggling to get a handle on Third Party Risk Management (aka Vendor Management; Supply Chain Risk Management, Supplier Management Framework). Many are only now realising how much time and attention the activity takes, and they don’t have the people to do it. As a result, despite the economic downturn, there are still plenty of unfilled vendor manager roles being advertised.

 

PS I recognise that my dataset is small, so are you seeing something else? Let me know – I’m really interested to know what’s going on in your world.