knowledge | 3 April 2020 |

Asset Managers and Cybersecurity Risk Management Practices – Central Bank Update

According to an Industry Letter (the “Letter”) published by the Central Bank of Ireland (“CBI”), investment firms and fund service providers1 (“Asset Managers”) could do better when it comes to their cybersecurity risk management practices (“RMPs”). In particular, while a number of firms have made good progress in certain areas, the CBI still has concerns regarding the adequacy of the arrangements that are in place to oversee all cybersecurity risks. The Letter must be brought to the attention of all Board Members and Senior Management before 30 April 2020.

Background

In 2016, the CBI published “Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks 2016”, highlighting the need for firms to have in place adequate processes to efficiently address cyber risk.  

Recently, the CBI undertook a Thematic Inspection of Cybersecurity Risk Management in Investment Firms and Fund Service Providers, in order to determine the adequacy of cybersecurity controls and cybersecurity RMPs in place across selected firms. The Thematic Inspection examined (i) cybersecurity risk governance; (ii) cybersecurity risk management frameworks; and (iii) certain technical controls for mitigating cybersecurity risk.

The Letter

The CBI published the Letter outlining its findings from its Thematic Inspection into the cybersecurity risk management practices in asset management firms, on 10 March 2020 (here).

While, as mentioned, the CBI identified some good practices, broadly it was of the view that cybersecurity is a practice that remains underdeveloped in the asset management industry. According to the CBI:

“Firms must give more consideration and support to identifying and managing the different threats they are exposed to, whilst recognising that the inherent risks of IT are continuously increasing. Firms must focus on increasing the maturity of their cybersecurity model by driving a process of continuous improvement.”

Appendix 1 of the Letter sets out the CBI’s key findings and expectations in the following areas: cybersecurity risk governance; cybersecurity risk management; IT asset inventories; vulnerability management; security event monitoring; and security incident management (see table below).

The CBI expects Asset Management Firms to fully consider the findings and associated CBI expectations detailed in the Letter and evaluate their own cybersecurity RMPs to establish if any improvements are required.

Future risk assessments, including CBI inspections may include a review of cybersecurity risk management and the issues raised in the Letter. Supervisors will discuss matters raised in the letter during future supervisory engagement meetings.

Comment

Firms will need to review their existing cybersecurity RMPs in the light of the CBI’s key findings and expectations as set out in the Letter.  Such a review appears particularly timely in light of the increased risk of cybersecurity attacks as a result of COVID-19 and the fact that staff are now primarily working from home. In this regard, please see our related briefing COVID-19: Increasing Risk of Cyber Fraud (here).

Table 1: Key Findings and Expectations

 

Summary of Key Findings Expectations
Cybersecurity and Risk Governance

Boards and Senior Management are not sufficiently prioritising a robust cybersecurity culture and cybersecurity risks are not adequately considered when developing the business strategy.

The CBI identified deficiencies in the governance of cybersecurity policies, including in firms’ oversight of Group or third party cybersecurity service providers.

Firms should have a comprehensive, documented and Board-approved IT and cybersecurity strategy, supported by sufficient resources and aligned with the overall business strategy.

Firms’ Senior Management should ensure that there is a well-defined and comprehensive IT and cybersecurity risk management framework in place that provides effective oversight of IT related risks and gives assurance to the Board regarding the management of these risks within the firm.

Cybersecurity Risk Management

Firms make limited, and in some cases no use of defined quantitative metrics in Management Information for monitoring, reporting on and measuring cybersecurity risk exposures against the approved risk appetite statement.

In general, Boards do not receive sufficient reporting on cybersecurity and other technology risks, for example, regarding trends in a firm’s level of security risk incidents / near misses.

The CBI also observed conflicting reporting lines in some instances regarding cybersecurity risk personnel, where they reported to senior first line of defence positions, resulting in a lack of independent challenge on cybersecurity risk.

Firms should implement, maintain and communicate an appropriate cybersecurity risk management framework that includes risk identification, assessment and monitoring, the design and implementation of risk mitigation and recovery strategies, and testing for effectiveness.

Cybersecurity risk assessments should be conducted at regular intervals, at least annually, and should be comprehensive, considering internal and external sources of risk.

Assessments should have appropriate parameters for evaluating and prioritising risk, such as risk likelihood and potential impact on the business operations of the firm.

IT Asset Inventories

Firms were unable to demonstrate that there was a single, complete IT asset inventory solution in place. As a result, firms are not fully aware of all the hardware, software, and data assets on their networks and therefore cannot assess the associated risks in a holistic manner.

Firms should establish and maintain a thorough inventory of IT assets, classified by business criticality, to support an effective IT Risk Management framework.

A process (for example, a business impact analysis) should also be in place to regularly assess the business criticality of IT assets and assess the associated risks in a holistic manner.

Configuration baselines for IT assets should be established, with divergence from the baselines identified and managed appropriately.

Vulnerability Management

The following deficiencies were identified in firms’ vulnerability management processes:

  • inadequate vulnerability management planning and mitigation activities;
  • frequently, either incomplete or unknown coverage of vulnerability scans; 
  • in some cases, failure to use vulnerability scanning tools to identify devices that deviate from the security baseline.

Exposure to vulnerabilities should be assessed on a continuous basis, on the entirety of the IT estate, and include identification of external and internal vulnerabilities.

Robust safeguards should be in place, including a proactive patch management process and a comprehensive configuration hardening activity, to protect against cybersecurity threats.

Security Event Monitoring

Firms were unable to demonstrate that security events from all pertinent systems and devices are collected by and analysed in the Security Information and Event Management system (SIEM).

Firms did not evidence sufficient oversight for outsourced Security Operations Center (SOC) services.

Cybersecurity management activities should address the timely detection of security events and incidents, ensure comprehensive monitoring of all assets containing or processing critical data, and assess the potential impact to the business.

Regular reviews should take place to assess the effectiveness of detection processes and procedures.

Security Incident Management

Cybersecurity incident response and recovery plans were incomplete and / or not actionable. Issues identified included plans that were in draft, were not complete, had not considered key scenarios or were not part of a formal incident management framework. Furthermore, in some cases, the cybersecurity incident response and recovery plans were not tested.

Firms should have documented cybersecurity incident response and recovery plans in place that provide a roadmap for the actions the firm will take during and after a security incident. Incident response plans should address, inter-alia, roles and responsibilities of staff, incident detection and assessment, reporting and escalation, as well as response and recovery strategies to be deployed. Communication with relevant external stakeholders, including customers and the Central Bank, should also form a part of the response plan.


  1. Such as Fund Administrators, Depositaries, UCITS Management Companies, AIF Management Companies, Alternative Investment Fund Managers, Investment Managers and Investment Advisers

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts