top of page
  • Writer's pictureAmeis Regulatory Services

The Autorité des Marchés Financiers (AMF) in France recently published its summary of findings relating to its second series of of cybersecurity system SPOT inspections concerning five asset management companies (AMCs).

The document that lists the themes involving Supervision des Pratiques Opérationnelle et Thématique – “operational and thematic supervision of practices” (SPOT), aims at outlining and addressing certain areas of risk that the regulator has identified concerning the governance of cyber system and the incident management process .

The work follows on from the inspections carried out on this topic in 2019. This further work was justified by the areas of risk identified during the first series of inspections, but also by a will to supplement the due diligence conducted by performing technical tests delegated to an accredited external third party.

The inspections focused on five key areas:

  • Organization and governance of cybersecurity systems

  • Coordination of IT service providers

  • Incident management processes

  • Supervision of processes for remote access to information systems

  • Internal control systems

The summary confirmed that cybersecurity risksfaced by all the AMCs inspected, stemmed from governance and control systems, including:

  • The independence of the function in charge of IS security management relative to the function of IS Director/Manager.

  • The limited number of periodic phishing tests to measure the impact and development of awareness raising campaigns.

  • The absence of audit clauses and procedures for alerting AMCs in the event of a critical cyber incident.

  • The lack of policies for managing security components and patches.

  • The insufficient mapping of the protocols for the exchange of data with third parties systems (e.g. depository, auditor).

  • The absence of processes for sensitive data backup and storage in existing internal controls of the cybersecurity system.

In the context of the COVID-19 pandemic, specific analysis was also conducted on business continuity planning, supervision of "teleworking" processes and preventive measures concerning potential upsurge of cyber incidents.

Targeted firms include:

  • Collective investment management firms, including portfolio asset management companies

  • Investment services providers other than portfolio asset management companies

  • Investment firms and credit institutions authorized to provide investment services

  • Financial investment advisers

Recent Posts

See All

The Secured Overnight Financing Rate (SOFR) is a broad measure of the cost of borrowing cash overnight collateralized by Treasury securities. SOFR is the overnight interest rate for US dollar-denomina

13/06/2023 - Canadian Securities Administrators (CSA) SEDAR+ go-live date. All issuer filings, cease trade orders and disciplined list entries will be filed in SEDAR+ 16/06/2023 - OSFI consultation pe

On May 11, the Bank for International Settlements (BIS) published a Handbook on how central bank digital currencies (CBDCs) could work for offline payments, defined as a “transfer of value between dev

bottom of page