The Autorité des Marchés Financiers (AMF) in France recently published its summary of findings relating to its second series of of cybersecurity system SPOT inspections concerning five asset management companies (AMCs).
The document that lists the themes involving Supervision des Pratiques Opérationnelle et Thématique – “operational and thematic supervision of practices” (SPOT), aims at outlining and addressing certain areas of risk that the regulator has identified concerning the governance of cyber system and the incident management process .
The work follows on from the inspections carried out on this topic in 2019. This further work was justified by the areas of risk identified during the first series of inspections, but also by a will to supplement the due diligence conducted by performing technical tests delegated to an accredited external third party.
The inspections focused on five key areas:
Organization and governance of cybersecurity systems
Coordination of IT service providers
Incident management processes
Supervision of processes for remote access to information systems
Internal control systems
The summary confirmed that cybersecurity risksfaced by all the AMCs inspected, stemmed from governance and control systems, including:
The independence of the function in charge of IS security management relative to the function of IS Director/Manager.
The limited number of periodic phishing tests to measure the impact and development of awareness raising campaigns.
The absence of audit clauses and procedures for alerting AMCs in the event of a critical cyber incident.
The lack of policies for managing security components and patches.
The insufficient mapping of the protocols for the exchange of data with third parties systems (e.g. depository, auditor).
The absence of processes for sensitive data backup and storage in existing internal controls of the cybersecurity system.
In the context of the COVID-19 pandemic, specific analysis was also conducted on business continuity planning, supervision of "teleworking" processes and preventive measures concerning potential upsurge of cyber incidents.
Targeted firms include:
Collective investment management firms, including portfolio asset management companies
Investment services providers other than portfolio asset management companies
Investment firms and credit institutions authorized to provide investment services
Financial investment advisers