This briefing assesses the potential impact of cyber-attacks, particularly in the context of the asset management industry in Ireland, and provides guidance for fund boards and managers regarding the appropriate procedures and systems that should be in place to adequately prevent or deal with cyber-attacks.
An increasing number of reported cyber-attacks on businesses worldwide, including businesses in the international asset management industry, together with increased regulatory scrutiny around the area of cyber security, have led many fund boards and managers to review their cyber security strategies with a view to implementing preventative controls and timely responses.
Due to the nature of their business, asset management firms hold large amounts of capital and control large amounts of valuable data relating to their clients, both institutional and high net worth individuals. This provides an adequate incentive for an attack from cyber criminals. The financial implications of such an attack, together with the subsequent reputational damage if such an attack was not dealt with adequately, means that the issue of cyber security is generating increased focus from senior personnel within such organisations.
In early 2015, the Central Bank of Ireland (Central Bank) undertook a thematic review of fund managers and investment firms to assess the management of cyber security and related operational risks. The objective of the review was to examine if firms had adequate policies and procedures in place to prevent and detect cyber security breaches. The review found that many firms deemed cyber security to be the sole responsibility of the I.T. department within the firm with limited involvement, if any, from the board of the firm.
Following the thematic inspection, the Central Bank published a non-exhaustive list of best practices which boards should consider. A summary of the best practice guidelines (the Guidelines) are as follows:
The Guidelines provide a valuable resource for fund boards in applying best practice in all cyber security matters. The Central Bank has indicated that they will have regard to the Guidelines in the event that a firm is not compliant with any relevant regulatory requirements. In addition to the Guidelines, fund boards should consider taking out a cyber security risk policy covering a number of areas including intellectual property, hacking, viruses, etc. The fund board should also consider disclosing specific cyber security risk factors in fund offering documents.
It is the board’s responsibility to ensure that a firm is properly governed and has the necessary processes and systems in place to protect the firm and all of its assets. Cyber risk management should not be left solely to a firm’s I.T. department but should run throughout the organisation and should include active involvement from the board. In addition, due to the requirement for fund boards and managers to delegate duties to third party service providers such as Depositaries and Administrators, fund boards and managers should look to ensure that such service providers have endeavoured to put robust processes in place to minimise the threat of cyber-attacks and ensure compliance with relevant legal obligations.