IE-Annual-Report-&-Review-2024

Risk Report The principal risks and uncertainties are set out in the Director’s Report on page 34. The primary risk areas for IE Domain Registry are identified in the Risk Report below, under four risk pillars, along with a description of the steps the Company is taking to manage those risks. The company’s Enterprise Risk Management (ERM) framework incorporates the three layers of defense model. Risk management policy, processes and procedures cover risk identification, assessment, mitigation, monitoring and reporting. These are being updated to reflect the expected transposition of the EU NIS2 Directive into national legislation. The Board retains overall responsibility for ERM, which is on the agenda for every board meeting. The Board sets the Company’s risk appetite, which is balanced and is aligned with corporate strategy. The Board has delegated certain risk management and oversight roles to the ARC, which are reflected in its updated terms of reference. Description of risk / Risk area What we are doing to manage the risk Risk Pillar 1 - Operational, Cyber & Technical Critical infrastructure disruption Risks to the core infrastructure and technology through which our mission- critical services are provided. Risks from the complexity of DNS infrastructure, obsolescence challenges and the increasing threat of disruption by state actors. ▶ We invest in the resilience of our critical DNS and registry infrastructure; Investment in a 24/7 SOC and SIEM platform ▶ We have robust business continuity and disaster recovery plans (BCP/DR) in place which are tested and reviewed on a regular basis ▶ We have strong, effective IT & Security policies and operational controls that are certified to ISO 27001 standards & aligned with NIST Guidelines Cyber security breach As an Operator of Essential Services (OES) providing critical DNS and Registry services we are an attractive ‘conduit’ and target for hackers. Ransomware attacks may result in unavailability of mission-critical systems. A cyberattack on .ie or a key registrar, may result in data breach or loss of service. Remote working has increased the risk vectors. ▶ We seek to reduce both the likelihood and potential impact of a cyber attack by building cyber resilience into key systems and processes, educating and training our people about cyber threat environment and by monitoring key services and systems for evidence or signs that could identify risks or malicious activity. ▶ We work closely with internal and external stakeholders, and external advisers, including the National Cyber Security Centre to enhance intelligence and threat monitoring ▶ We have engaged expert third party service providers, ensuring defense in depth. We have a 24/7 managed detection and response service (MDR). We follow a structured programme of internal audits, completed regularly each year. ▶ We continue to invest in high quality infrastructure, cyber defences, and testing - regular penetration testing, vulnerability and intrusion testing. ▶ We participate in tabletop exercises (TTX) with members of the European TLD ISAC, sharing best practices on mitigation techniques, and boosting resilience against emerging risks. People, talent and resources Failure to attract, develop and retain seasoned professionals with in-demand unique specialist skillsets would have a detrimental impact on our ability to deliver on key strategic objectives. Risks to recruitment and talent retention challenges from economic instability, increases in the cost of living, Covid and Brexit. ▶ We provide a competitive Employee Value Proposition (EVP) to attract and retain top talent, through – compensation & rewards, career development, work-life balance, company Culture, and Purpose & Mission ). ▶ Staff development, incorporating talent management, is one of the pillars in our Strategic PlanHybrid working is fully implemented through our Wellbeing policies & programmes. ▶ Succession planning and training commitments; cascading knowledge from senior operational experts to the entire team. Governance IE Domain Registry CLG t/a .IE / Annual Report & Review 2024 12