Our latest Funds and asset management regulatory news compliments our General regulatory news of regulatory developments with broader application.
- COVID-19: EFAMA updates cyber-prevention standards for investment management companies
COVID-19: EFAMA updates cyber-prevention standards for investment management companies
The European Fund and Asset Management Association (EFAMA) has published a document updating the International Investment Funds Association's (IIFA) Cybersecurity Program Basics document, which was first published in October 2019.
The original document set out key cyber-prevention standards for investment management companies and is intended to help to define commonly shared principles that firms should apply to minimise the likelihood of cyber incidents. These principles cover the need to establish an overarching cybersecurity framework, conduct cyber-risk awareness trainings with company staff, have an incident response plan, conduct tabletop exercises to test response plans, establish and monitor normal network activity, and participate in trusted information sharing networks.
The new document updates the core principles in the context of COVID-19. It takes the form of best practices relating to business continuity planning, information technology controls, inventory and control of software and hardware, the principle of least privilege, work from home considerations and secure configuration.
Both documents include useful links to publicly available resources that firms can refer to when setting up these measures.
EFAMA believes that the documents particularly will be of added value to small-sized investment management companies lacking the resources needed to fully meet the more demanding international standards (including those of the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO)).
EFAMA also announces that it is setting up a dedicated working group on cyber resilience to allow it to engage actively in future policy discussions, including the European Commission's recent legislative proposal on digital operational resilience.