The Central Bank plans to pile pressure on financial institutions to get to grips with mounting cybersecurity, Brexit and other risks related to their outsourcing arrangements, as it found in a survey that many boards have little understanding how others manage these crucial functions.
Some 185 banks, asset-management groups, insurers and payment companies surveyed by the regulator have 7,700 outsourcing arrangements between them. Forty per cent of the companies planned to outsource more activities over the next 12 to 18 months, the Central Bank said.
About 40 per cent of the firms used third parties to provide cloud computing services such as servers, storage, databases and networking over the internet, while a growing number of banks are entering partnerships with unregulated financial technology (fintech) companies, according to the Central Bank.
Companies are also engaging increasingly in the outsourcing of risk management and internal control functions, it said. In addition, a number of foreign-owned groups looking to base operations in Ireland as a result of Brexit may be considering outsourcing a "substantial level" of their activities to other parts of their organisations.
“Supervisors have observed a lack of awareness of the scale of outsourcing arrangements and the consequent level of third-party dependencies within many regulated firms, particularly at board level,” the report said, adding that the regulator planned to intensify its level of scrutiny of outsourcing across all sectors.
“In a number of individual firms, supervisors have seen adequate questioning and challenge of proposals and key outsourcing decisions by board members. However, supervisors have found that, overall, regulated firms often do not consider the potential impact of outsourcing.”
Systemic cyber risks
Regulators globally have been moving outsourcing risk up their priority lists in recent years, as they weigh systemic cyber risks and threats to critical communications and power infrastructure. The collapse of UK facilities management and construction firm Carillion, which hit projects on both sides of the Irish Sea, has underscored the risks when institutions are overly dependent on a small number of services providers.
“As the management of outsourcing risk remains the responsibility of the board of directors for individual firms, the Central Bank fully expects that firms will analyse this paper and take appropriate steps to address issues relevant to their outsourcing practices,”said Gerry Cross, director of policy and risk at the Central Bank.
“Furthermore, firms can expect that supervisors will seek evidence of updates to risk-management frameworks to ensure that the paper was considered and an examination of outsourcing was conducted.
“The findings in this important report are disappointing. Significant action is required by boards and senior management to meet our minimum supervisory expectations on outsourcing governance arrangements, risk-management controls and business continuity practices.”