The cyber unit within IT is more likely, those ones are besotted with ticking compliance checkboxes, the delegation of responsibility and a game of musical chairs at any cost.

It is even more likely that IT was at loggerheads with cyber, but nowadays cyber seems to be able to trump everything and everyone.

This is a management move. IT probably wasn't in the loop, since this effectively reduce the responsibilities of IT in terms of compliance.

And especially their auditors