Cyber-crime is becoming more prevalent due to the increasing reliance by firms in all sectors on information technology. A report issued by security firm Gemaltoi revealed that a record 1 billion data records were compromised worldwide in 2014.
The investment funds industry is not immune to the risk of cyber-crime. Recent examples of cyber security crime have included attacks on the identity of funds. Potential fund investors were misled by fraudulent websites which copied the identity of legitimate investment funds and duped investors into investing monies electronically.
The CBIii identified cyber security and operational risk as one of its key thematic review inspection areas for 2015. Such inspections examine the policies, procedures, oversight, access and testing of systems that financial services firms use to reduce cyber security risks.
The CBI’s approach is consistent with the stance taken by other key global financial services regulators. The SECiii has recently issued guidance on this topic and in the UK, the FCAiv has assisted with the launch of a cyber security framework. The UK cyber security framework facilitates the sharing of threat intelligence, the testing of cyber security and the benchmarking of financial services providers
Protection against Cyber-Crime
Investment funds including UCITS and AIFs need to be cognisant of the extensive financial and reputational impact of a cyber-attack. The CBI has highlighted that it is the responsibility of a fund’s board and not just the IT department to ensure that robust cyber security measures and controls are implemented to mitigate against risks.
On July 15th 2015, the CBI issued a notice to the CEO’s of fund service providers highlighting the importance of robust operational procedures to assist in the detection and prevention of fraud and cyber-crime.
On September 23rd 2015, the CBI issued a cyber security best practice guide addressed to investment firms, fund service providers and stockbrokers. Although the precise wording of the best practice guide is not specific to the funds industry, the measures are in many instances relevant to investment funds. A summary of the main measures is as follows:
- The board should drive a culture of security throughout the firm.
- Companies should ensure staff members receive adequate training in relation to cyber security
- Cyber security should be an agenda item at all board meetings
- The board should be satisfied that robust procedures exist to meet the company’s cyber security needs or at the very least an appropriately trained board member should be assigned responsibility for cyber security
- A reporting line to the board should be installed for cyber security risk incidents.
- The board should appoint a Chief Information Officer who is accountable for cyber security or at the very least an appropriately trained board member should be assigned responsibility for cyber security
- The company should have contingency plans in place for scenarios where systems are breached.
- Where a company is requested to make a payment to a third party bank account, client verification and compliance with anti-money laundering obligations are required.
- To increase awareness of vulnerabilities, companies should engage the services of an external specialist to carry out periodic penetration testing of their systems, at least annually
- Companies should also satisfy themselves as to the robustness of the cyber security policies of any third parties/vendors they rely on
- Companies should report any successful breach of their systems to the CBI.
- Companies should ensure that they are kept up to date on current cyber security threats.
It is anticipated that investment funds will consider these recommendations when determining appropriate cyber security controls both at the fund level and at service providers
How can KB Associates Assist?
KB Associates offers a range of services to investment funds including UCITS/AIF operational support, UCITS/AIF management company services, service provider selection, the provision of directors, MLROv services and company secretarial services.
If you would like to discuss any issues raised in this article or related to KB Associates’ services in general, please feel free to contact Mike Kirby (+353 1 667 1980), Peter Northcott (+44 203 170 8813) or Mike Parton (+1 345 946 4224).
i Gemalto 2014 Breach Level Index Report
ii Central Bank of Ireland
iii Securities and Exchange Commission
iv Financial Conduct Authority
v Money Laundering Reporting Officer