FCA tells asset managers to improve security

FCA tells asset managers to improve security

The FCA has told asset managers to do more to improve cyber security.

The regulator stated today (December 10) that asset managers must do more to ensure board and management committee cyber security decisions were based on careful consideration of the cyber risks arising from the nature, scale and complexity of the firm's activities and risk profile.

In late 2017 and early 2018 the FCA carried out a review with 20 firms in the asset management and wholesale banking sectors to check how they oversaw and managed their cyber security.

According to the regulator the firms varied in terms of their size, scale, operating models and geography with the asset management sample, for example, including firms with client assets ranging from less than £15bn to more than £500bn.

The regulator's review found where a firm relies on group-level or other centralised arrangements for maintaining cyber security, management committees and boards should assess whether these are fully aligned with the company's specific risks and ensure they addressed any identified gaps.

Firms were told by the FCA they should take proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority.

The FCA found firms generally lacked board members with strong familiarity or specific technical cyber-expertise.

Many said this was because of their size, low risk-profile or the limited availability of that skillset in the wider independent non-executive director population.

Given the overall responsibilities of board members, which include providing effective challenge and oversight, the FCA said this raised an important question about what ongoing training and simulation exercises firms took to strengthen capabilities at that level.

Some firms were found to have hired third-party firms or advisers to independently advise them on cyber security.

Some asset managers were found to have arranged presentations from chief information security officers and other specialists from peers in other firms and industries.

But the FCA flagged concerns that retaining the services of third parties to assist and advise board members on cyber matters could result in over-reliance on these services.

The FCA stated: "This could affect the firm's development of its own in-house cyber capabilities and the longer-term abilities of the board to objectively assess their firm's cyber and control environment."

Another area of concern was management information.

The regulator was worried about bosses being bombarded with too much detail or information without context resulting in boards being unable to identify meaningful trends.

Mark Locke, communications director of consultants Lang Cat, said with the senior managers regime coming into force next year this was a timely reminder that bosses need to make sure they either improve their IT knowledge or get individuals on the board who fully grasp cyber security risks.

Mr Locke said: "The asset management and wider financial community has had a lot of regulation to deal with in terms of General Data Protection Regulation (GDPR) and Mifid II but cyber security is vital.