The AMF publishes summary of third thematic inspection of asset management companies' cybersecurity systems

After two initial exercises, the findings of which were published in 2019 and 2021, the AMF conducted a new series of short thematic inspections (SPOT) to analyse the cyber risk management practices of five new medium-sized asset management companies. This risk is defined as the result of a potential malicious attack on the availability, integrity or confidentiality of hosted data, or against the traceability of actions performed within the information systems of the establishments on the panel. The AMF focused its analysis on the services provided by key IT providers, particularly those providing cloud computing services. It also looked at the IT channels used for exchanging sensitive data with the other partners of the companies in the panel, i.e. depositaries, funds valuers, custodian-account keepers, statutory auditors, business developers and distributors.

The AMF focused on:

• the organisation and governance of cybersecurity, as well as the associated procedures;
• the selection and contracting process with IT service providers and partners;
• the overall control system.

In its summary document, the AMF notes that most of the asset management companies audited have drawn up an exhaustive map of their sensitive IT service providers, including an assessment of the level of risk for each of them. However, this mapping exercise was not carried out identically for the other partners. As a result, asset management companies do not set up all the necessary supervisory tools to ensure that their employees systematically use the appropriate IT communication channels depending on the level of sensitivity of the data exchanged.

The AMF also notes that insufficient account is taken of criteria relating to the robustness of cybersecurity, incident management and business continuity systems associated with the services provided, when selecting and contracting with IT service providers and other partners. However, the asset management companies on the panel carry out a posteriori controls targeting the effectiveness of these systems. These controls take the form of checks carried out by users and ongoing or periodic checks, the latter of which may include technical tests.

This new SPOT inspection campaign has revealed the persistence of several standard anomalies. In addition, the entities examined have adopted a more reactive than proactive approach to the cyber risks associated with outsourced services, which is not consistent with the approach advocated by the European DORA (Digital Operational Resilience Act) regulation, which will apply from 17 January 2025 and includes key principles for managing the risks associated with IT service providers. DORA indeed propose a balance between reactive measures (incidents analysis mechanism, business continuity strategy) and proactive ones (preliminary cyber risks assessment and mapping, development of an information security policy).

This third series of inspections marks the end of the educational phase that the AMF began in 2019 on cyber risks. If they were to persist in the future, the weaknesses outlined in this and the previous two summaries could justify the launch of law enforcement action.

About the AMF

The AMF is an independent public authority responsible for ensuring that savings invested in financial products are protected and that investors are provided with adequate information. The AMF also supervises the orderly operations of markets.Visit our website https://www.amf-france.org/en