France’s financial regulator found a small number of asset managers were falling short of delivering robust cybersecurity processes that would meet the standard of an incoming regulation known as DORA.
Five medium-sized firms were subjected to a short thematic inspection to see if they were merely reactive to cyberattacks, or worked more proactively as the regulation will require.
DORA – the EU’s Digital Operational Resilience Act regulation – will apply from 17 January 2025 and includes key principles for managing the risks associated with IT service providers.
The asset managers had adopted a “more reactive than proactive” approach to the cyber risks associated with outsourced services, which is not consistent with the approach advocated by DORA, the AMF said.
Firms should find a balance between reactive measures – such as a business continuity strategy – and proactive ones, including preliminary cyber risks assessment and mapping, and development of an information security policy.
The asset management companies on the panel carry out a posteriori controls targeting the effectiveness of these systems, the AMF said.
Other findings included that “most” of the five asset management companies that were inspected had drawn up an “exhaustive map of their sensitive IT service providers”, but risk mapping was not carried out identically for other partners.
The inspection gave extra weight to providers of cloud computing services but also looked at the IT channels used for exchanging sensitive data with other partners, such as distributors, depositaries, fund valuers and custodians.
The regulators also said management companies do not set up all the necessary supervisory tools to ensure that their employees systematically use the appropriate IT communication channels depending on the level of sensitivity of the data exchanged.
The inspection had found that there was a persistence of “several standard anomalies”, the AMF said,
If they were to persist in the future, the weaknesses outlined could justify the launch of law enforcement action, said the regulator.
© 2023 funds europe