Cyber Security and the Funds Market
Friday, 24 April 2020
A discussion of key cyber security and resilience observations applicable to the funds market.
With 14,000+ funds, representing €5.2 trillion assets administered from Ireland, comes great temptation, especially in the form of cyber risk, and those dealing in the dark and lucrative world of cyber-crime. Ireland is the 3rd largest funds domicile in the world; not bad going for a small island nation.
Our experience to date has shown that the regulators are increasingly aware of the risks posed by technology, and that cyber security is one of the key areas they want firms to focus on. In Ireland, the Central Bank of Ireland has stipulated on many occasions that it expects Board members of regulated entities to drive a culture of cyber security and resilience throughout a firm, and that it should be a standing agenda item for discussion at all board meetings. The Irish Data Protection Commission’s (DPC) annual report for 2019 outlines that 6,069 valid data security breaches were notified during the year, representing a 71% increase on 2018. Helen Dixon, the data commissioner, has signalled that huge fines are an inevitability in the Irish market, given the types of firms operating here and the extent of issues her office is investigating. It is clear therefore that firms who ignore the regulators’ warnings will feel pain in their pockets at a minimum, and loss of reputation and business will usually follow.
Despite the above, the importance of ongoing cyber security risk assessments can get overlooked. Yes, the likelihood is that regulated funds, asset managers and their service providers will have a cyber security and resilience policy, and when the risk assessors come looking, that box can be firmly ticked. But is the policy fit for purpose? What does fit for purpose even mean?
In very simple terms, a cyber security policy should be appropriate, and at a standard necessary for its intended use. Firms participating in the funds and securities markets should therefore establish procedures to monitor, assess and manage their cyber security risk profiles, and have sound plans for operational resiliency in the event of an incident, in order to ensure that their policies are effective.
In January 2020, the SEC’s Office of Compliance Inspections & Examinations (OCIE), published their observations on how important cyber security preparedness and operational resiliency is in the funds and securities market. Lessons can be learned from these observations in Europe too. The following are a few key areas highlighted by the OCIE which will help ensure that regulated funds, asset managers and their service providers have taken the necessary steps to protect their business and information.
Specific Risk Identification – it would seem relatively undemanding to ensure that the risks which are most important to a firm in terms of their impact on business continuity and customers are highlighted and addressed. It’s baffling how often this simply isn’t the case, and firms are using a generic risk assessment form to set out their key risks. PLEASE DON’T DO THIS! Consider and identify what your most valuable information is, and protect it with all your might.
Authorised Users – all firms should ensure that information is managed such that only those users who need the data are authorised to access it. System access should be restricted to those who need it, and controls should be put in place to ensure that unauthorised attempts to obtain data and information are monitored and prevented.
Prevent Data Loss –The best way to prevent loss of sensitive information is to have a range of tools and processes in place. These tools vary from firm to firm depending on the size and type of data. As the funds industry holds valuable and sensitive customer information, the tools should include a mixture of penetration testing, vulnerability scanning, malware and advanced threat detection, encryption and password authentication, insider threat monitoring and separation of networks.
Mobile Devices – laptops, phones and other mobile devices have made flexible working a reality today, and indeed are part and parcel of what employees now expect for their work life balance. However, such devices represent additional and unique vulnerabilities. It is essential that regulated funds, asset managers and their service providers have proper policies governing the use of these devices, and implement security measures such as multi-factor authentication, strong passwords and the ability to clear data remotely if a device gets lost or stolen, along with various other measures.
Third Party Management – Duff & Phelps frequently observe scenarios where a client’s system has been breached due to poor third-party supplier/vendor security measures. For regulated funds, this is of particular importance. Funds should conduct regular due diligence to ensure third parties are meeting the stipulated requirements. With outsourcing a constant priority for regulators, funds and their service providers need to fully understand their risk and exposure to third parties and have ways to manage those risks.
Staff Training & Awareness – There is little point in a firm investing in a leading-edge cyber security system if employees don’t know how to use it to identify issues. Experience tells us that most cyber breaches occur not because of lack of design, but rather because of poor execution. Proper training will give employees the necessary tools to identify their responsibilities and heighten their awareness of cyber risk. Good training programmes will include tasks to identify suspicious activity such as phishing, and outline indicators of breaches where customer behaviours appear suspicious. Staff should know who to contact in the event of an issue, and what is expected of them in their role. Overall, staff training should focus on building a culture of operational resiliency within the firm.
Organisational Resiliency and Incident Response Plans – this boils down to one thing. Firms must have a well thought out, up-to-date, incident response plan in place. Time and again we have witnessed instances where a firm has no plan or an old/templated plan. But surely any plan is better than no plan? In this case, the answer is no! Inevitably, outdated plans are missing key elements of information about the data held, where it is held, who needs to know etc. A good incident response plan has a number of components, which take into account all of the items mentioned above. It will have procedures for notification and response if an event occurs, processes to escalate incidents, communication instructions, key stakeholder details, and reporting requirements. These plans should be tested and evaluated annually. Resiliency and business continuity are key components of an IR plan, because they will set out the necessary steps to ensure minimal disruption to the firm and clients. Effective resiliency measures will ensure that core businesses are prioritised and protected and back up data is maintained in different networks and offline.
The reality is that no one is fully immune to cyber incidents, but firms can better equip themselves to deal with issues as they arise, and to prevent them happening in the first instance. Technology is a wonderful thing. It can also be a terrible thing. The key is to keep the terrible at bay by having proper and appropriate cyber security measures in place.
If you have any queries or questions related to the content of the above article, please contact our Dublin office on 01- 4720700, email Sharon.barrett@duffandphelps.com or Gráinne.ofarrelly@duffandphelps.com.
Gráinne O'Farrelly, Director, and Sharon Barrett, Director, Duff & Phelps