Opalesque Industry Update - The AMF has published a review of its thematic inspections of the cybersecurity systems in place in asset management companies. In accordance with its supervision priorities for the current year, the Autorité des Marchés Financiers reviewed the cybersecurity systems of five asset management companies. Based on its observations, it highlights the good practices noted. During these short thematic inspections called "SPOT" (Supervision des Pratiques Opérationnelle et Thématique - operational and thematic supervision of practices), the regulator examined:
- the organisation of cybersecurity systems with regard to human and technical resources;
- the governance of these systems; For performing its work, the AMF considered cyber risk as arising from any potential malicious attack, internal or external, on one of the key features of the Information System of an asset management company, namely its availability, its integrity, the confidentiality of the data that it processes or the traceability of the actions performed in the Information system. In this context, the AMF noted that the firms inspected are starting to address cyber risk by including it in their risk mapping, by compiling the cybersecurity incidents that they sustain and by calling on specialised service providers to verify the robustness of their Information System from time to time. However, the systems analysed do not take into account the potential impacts of the materialisation of cybersecurity risks on the firms' regulatory compliance with regard to (i) ensuring the level of regulatory capital, (ii) retention of sensitive data, (iii) maintenance of an effective business continuity plan, and (iv) maintenance of appropriate (IT) resources. The AMF also noted the practically universal absence of mapping of (i) sensitive data and (ii) critical systems, and of a data classification policy, leading to a risk of partial coverage of major risks by the control system. Moreover, the formal identification of cyber incidents for continuous assessment of the associated risk level proves problematic in the existing compilation databases. Lastly, the vulnerabilities identified or confirmed by internal control are not corrected with sufficient speed and monitoring. For asset management companies belonging to a Group (most of the tested sample), inadequate internal supervision of the services (relating to IT, cybersecurity and business continuity) performed by the parent company was identified. But the technical execution of these services by the Group cannot exempt asset management companies from their responsibilities regarding the definition (in priority) of the main risk areas and management of the relevant controls. Among the best practices observed, the AMF notes, for example, the following:
- Ensuring the independence of the CISO (Chief Information Security Officer) function relative to the IS Department (Information Systems Department) either by (administrative or functional) reporting by the CISO to the Executive Committee, or by establishing a control function independent of the CISO's activities; Conversely, the AMF noted the following poor practices:
- Deploying a cybersecurity system in the absence of (i) prior identification, (ii) classification by criticality level (on the basis of the AICT criteria) and (iii) regular review of sensitive data and Information Systems; Apart from the summary published on this day, this series of SPOT inspections gave rise to the sending of follow-up letters to the AMCs in question. Cybersecurity risks will be the subject of other AMF inspections in the coming months. In light of the observations made on completion of these inspections, the AMF plans to work out a specific cybersecurity policy proportional to the size of the players.
Press release
Read more: Article source - Opalesque is not responsible for the content of external internet sites |
Industry Updates
French regulator reviews asset management cybersecurity systems
Monday, December 16, 2019
|
|