Dáil Éireann Debate, Thursday - 1 February 2024
111. Deputy Willie O'Dea asked the Minister for Finance the action he proposes to take to ensure there is a safety net for consumers in the event of electronic banking or the payments infrastructure being impacted by outages or cyberattacks; and if he will make a statement on the matter. [4254/24]
View answerThe Central Bank’s Cross Industry Guidance on Operational Resilience sets out the Central Bank’s expectations on how regulated firms should prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.
A key focus of this guidance is ensuring firms can recover its critical or important business services (including payment services) from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.
It also sets out a specific focus on business continuity plans which should be tested through severe but plausible scenarios and include any third party interdependencies or interconnections.
In the event of a disruption to payment services, such plans can include utilising contingency cash supplies maintained by the Central Bank and banks to help support essential purchases. The Central Bank also expects Firms to update customers publically, minimise disruption as much as possible to customers and to return services as soon as possible.
In addition, my officials are currently in the process of transposing and enabling Regulation (EU) 2022/2554 and Directive (EU) 2022/2556, a package known as the Digital Operational Resilience Act (DORA). Once enacted, DORA will address the increasing reliance of the financial service sector on digital technologies that can be vulnerable to cyber-attacks by setting minimum requirements on Information and Communication Technology (ICT) risk management for the majority of regulated firms
This will ensure that participants in Europe’s financial system have the necessary safeguards in place to mitigate cyber-attacks and ICT incidents that have the potential to cause widespread service outages. Such as requiring regulated firms to have an ICT business continuity policy to ensure the continuity of critical or important functions, including crisis management functions and response and recovery plans for ICT related incidents.
This will help to address the risk posed by cyber-attacks on digital payments infrastructure used by banks and other financial institutions to process digital payments.
The Digital Operational Resilience Act includes provisions that specifically require financial entities to have response and recovery plans in place that can be activated in the event of a service outage in order to continue business operations throughout a crisis. The Digital Operational Resilience Act will be applicable from 17 January 2025.
My officials are on track to have DORA and the associated Directive transposed into Irish law by the deadline of January 2025.
