Cyber security continues to be a top priority from a regulatory perspective, particularly for fund managers. They must adhere to strict guidelines put in place by global regulators to safeguard financial data and Personally Identifiable Information (PII). Non-compliance is not an option and laws such as the General Data Protection Regulation (GDPR) mandate robust cyber security measures. Failure to comply with GDPR can lead to significant penalties and, in addition, the European Union is strengthening its regulatory framework with regards to the Digital Operational Resilience Act (DORA), aiming to ensure all financial system participants can effectively guard against cyber-attacks. DORA’s rules will be fully enforceable from 17 January 2025.
Today, cyber security is no longer solely the responsibility of the IT and Technology team, it is the responsibility of all employees, from entry-level to board-level, to ensure that any form of risk is mitigated.
There are numerous strategies that the asset management and banking industries can utilize to help ensure that cyber security management is both prioritized and best-in-class. We have set out these strategies below:
Risk assessment and management
Conducting regular and comprehensive overall risk assessments is essential in order to identify potential vulnerabilities and threats. Firms must prioritize risks based on their potential impact and likelihood of occurrence and then develop and implement their mitigation strategies accordingly.
Strong authentication and access controls
It is crucial to implement multi-factor authentication (MFA) and strong password policies to control access to sensitive systems and data. The Zero Trust Model and Least Privilege Access are two examples of limiting access privileges based on roles and responsibilities, ensuring that employees only have access to the information necessary for their job functions.
Regular security audits and penetration testing
Firms should conduct regular security audits and penetration testing to identify weaknesses in their systems, networks, and applications. Addressing any vulnerabilities promptly and implementing patches and updates is essential to maintain good cyber security.
Employee training and awareness
Firms are only as strong as their most vulnerable element, which is frequently the employee. Educating employees about cyber security best practices is critical. Training may include how to recognize phishing attempts, the importance of strong passwords, and the risks associated with sharing sensitive information. Desktop training exercises expose users to real-life scenarios and best practices. Cultivating a culture of security awareness throughout the organization is essential.
Incident response planning and testing
It is recommended that firms develop and regularly update an incident response plan that outlines procedures for detecting, responding to, and recovering from cyber security incidents. It is also important to ensure that employees receive training on their specific roles and responsibilities during a security breach. Testing the incident response plan should include detailed procedures for each role to ensure all employees know what actions to take and when.
Vendor management
It is important to examine and monitor third and fourth-party vendors and service providers to ensure they meet cyber security standards and comply with regulatory requirements. Firms should establish contractual agreements that outline security expectations and responsibilities.
Data encryption and protection
Encrypting sensitive data to protect it from unauthorized access both in transit and at rest is a key element of good cyber security. Firms must ensure that they implement data classification and data loss prevention (DLP) solutions to monitor and control the flow of sensitive information within the organization.
Continuous monitoring and threat intelligence
Implementing advanced security tools and technologies allows for real-time detection of potential network vulnerabilities, as well as monitoring of network traffic, system logs, and user activities. Utilizing threat intelligence feeds keeps firms updated on emerging threats and vulnerabilities.
Compliance and regulatory compliance
Staying abreast of relevant regulations and compliance requirements, such as GDPR, DORA, and others applicable to the asset management industry is essential, along with ensuring that cyber security practices align with regulatory standards and industry best practices.
Executive leadership and governance
Firms should establish clear governance structures and identify senior executives that are responsible for cyber security oversight. It is important to ensure that cyber security initiatives align with business objectives and receive adequate support and resources from executive leadership.
Summary
Albert Chin, Deputy COO and Head of Banking Operations commented:
“”
At FundBank, we take our role in the prevention of cyber security attacks extremely seriously and are committed to minimizing risk and ensuring the security of our customers’ information.
We prioritize cyber security through ongoing investment in advanced technologies and rigorous protocols and our efforts are led by our strong and experienced technology team.
If you would like to find out more about FundBank and how it is working with its clients to mitigate cyber security risk, please reach out to us today.