Cyber security is becoming a major issue in financial services. Investment funds need to be aware of the increasing risks in this area and take steps to ensure such risks are mitigated as much as possible.
This update considers some of the legal risk mitigation measures that investment funds should consider in the area of cyber security.
Cybercrime is growing rapidly. The Center for Strategic and International Studies recently reported that assets of more than US$400 billion were stolen through cybercrime in 2014. In a financial services context, a cyber attack compromised over 80 million customers of one of the world's largest investment banking institutions.
Recently, investment funds (including some Irish investment funds) have been subjected to cyber attacks on their identity, leading to fraudulent scamming of investors. In most cases, a bogus website was established and investors were duped into investing monies electronically. Due to the online nature of cybercrime and the use of internet servers in a broad range of countries without the necessary jurisdictional co-operation established, it has proved extremely difficult for the relevant authorities to track the perpetrators and shut down the relevant websites.
From an Irish financial services regulatory perspective, such is the importance of ensuring that an effective and robust cyber security controls environment is in place, that the Central Bank of Ireland (the "CBI") has included 'cyber security / operational risk' as one of its themed inspection areas for 2015.
The CBI is not alone in this initiative, with the US Securities and Exchange Commission (the "SEC") recently publishing a detailed guidance, highlighting how important this issue is for registered investment companies and investment advisers. The UK Financial Conduct Authority (the "FCA") has also publicly stated that they have "established a large network of engagements and contacts to leverage a wide range of skills" in the area of cyber security.
Robust Cyber Security Controls
The CBI requires that entities ensure that they implement adequate and effective measures to reduce the risk of cyber attack by enhancing their cyber security controls environment.
This would apply in an Irish investment funds context to self-managed UCITS, internally managed AIFs, UCITS management companies and alternative investment fund managers (collectively "Funds").
To ensure a robust cyber security controls environment is in place, the legal risk management framework of Funds, expected by the CBI, should typically cover:
- the cyber security strategy;
- the establishment of risk tolerances;
- defined techniques and methodologies for assessing cyber security risk; and
- defined techniques and response mechanisms in the event of a breach.
Senior management and control staff are responsible for executing these measures.
Controlling the Risks
Fund boards should ensure that they manage the cyber security threat at an internal and external third party level. The Funds should, at least:
- have a cyber security policy that is monitored on an on-going basis and updated accordingly;
- include the topic as an agenda item for each quarterly board meeting;
- consider appointing a third party cyber security specialist to carry out an annual audit;
- consider taking out a cyber risk insurance policy covering a number of areas including intellectual property, hacking, fraud, identity theft, viruses etc; and
- consider disclosing specific cyber security risk factors in fund offering documents (prospectus etc).
Central Bank of Ireland
As mentioned above, the CBI published its planned series of Themed Reviews1 in markets supervision for 2015. As with previous years, the themed inspection areas overlap with the CBI's Enforcement Priorities2.
As part of its cyber security / operational risk themed inspection, the CBI is inspecting controls and procedures around system security and access of selected firms. Therefore, it is prudent to act now, rather than wait until being inspected.
Cyber security is an increasing commercial threat and is high on the agenda for regulators and lawmakers (with proposed legislation imminent). It is therefore crucial that robust systems and controls are put in place