Regulatory scrutiny of threats to cyber security continues apace with the commencement by the Central Bank of its cyber security themed inspections on certain firms. The main focus of the Central Bank’s questions relate to:
- Whether the firm has conducted a risk assessment to identify cyber security threats, vulnerabilities, and potential business consequences
- Whether the firm’s business continuity plan addresses mitigation of the affects of a cyber-security incident
- What cyber-security risk management standards are used by the firm
- Practices and controls regarding the protection of networks and information including written guidance, training and oversight of staff
- The extent to which the firm makes use of encryption
- Periodic audit of compliance with information security policies for firms which provide customers with online account access, details of the processes and security around such access
- Identification of cyber risks of third party vendors
- Detection of unauthorised authority
- Level of reporting of cyber security breach incidents to police and regulatory authorities
The Central Bank is not the only regulator highlighting concerns relating to cyber-security. The SEC has done so in the US and under-scored in recent guidance to investment companies and investment advisers which it regulates the vulnerability of investment firms because of the prevalent use of third party vendors and service providers including fund managers, administrators, transfer agents and prime-brokers.
Board of funds and fund managers are thus advised to ensure in particular that the service providers and delegates of the fund have in place a robust process to minimise threats of cyber attacks and ensure compliance with the relevant legal obligations.
Contributed by Patricia Taylor.