James Delaney, Director, AIMA

As is customary every winter, the health authorities initiate a new flu vaccination marketing campaign.  This year’s campaign will be the biggest ever, with 25 million people being offered free vaccines.  It also provides a means for health authorities to monitor and cross-check their data.

It’s clear that many similarities can be drawn with cyber security if you switch health monitoring with cyber security intelligence, and flu with cyber threats such as phishing and ransomware.

With ever-increasing digitalisation the odds of an epidemic are on the rise and in the same way that viruses are constantly mutating, cyber threats are always developing and becoming ever more sophisticated.

It is little wonder that cyber risk is a growing concern for institutions, individuals and financial markets.

We have seen a number of large-scale cyber attacks in recent years including the WannaCry attack, when ransomware infected over 230,000 systems in more than 150 countries, and the NotPetya malware outbreak which impacted tens of thousands of victims across 65 different countries.

Last year, a major UK financial institution was fined more than £16 million by the UK financial regulator for failings surrounding a cyber attack on its clients.  And, a couple of months ago the U.S. CFTC fined a U.S. brokerage firm $1.5 million for letting cyber attackers breach the firm’s email systems and withdraw funds from a client account.

In recent years, cyber security has increasingly become the top global risk for business, with regulators and policy-makers also paying increased attention to financial institutions’ cyber security planning.

It’s therefore not surprising that both Conservatives and Labour parties’ election manifestos released last week acknowledge that cyber crime and cyber warfare are growing all around the world, recognising the need for government to invest more in cyber security.  This has resulted in respective party proposals to set up a “national cyber crime force” and adopt a “national strategy on cyber crime”.

Last week, one of the EU’s financial supervisory authorities issued guidelines on IT and security risk management to highlight how financial institutions should manage ICT risks, strengthening the governance and defining the appropriate controls to mitigate the business impact on company information of the identified risks.

Moreover, in the World Economic Forum’s recent risk landscape, the vast majority of industry respondents expected the risk of cyber attacks leading to theft of money and data to increase this year, with 80% believing they would disrupt operations.

With all this in mind, AIMA has published the latest edition of its Guide to Sound Practices for Cyber Security.  This guide draws together insights from chief information security officers and cyber security practitioners on cyber risk and resilience measures in the asset management industry.

The guide sets out principles that investment managers should consider when developing a cyber security programme as part of its overall compliance and operations.  Key topics include cloud technology, new cyber attack threats, and an update to the various elements of developing an effective cyber security programme.

As cyber security increasingly becomes the top business priority globally, investment managers should actively prepare for all possible threats and stay on the front foot against future cyber attacks.

Members can access the full guide here, while the executive summary of the guide is linked here.

We would like to extend our thanks to Allen & Overy for sponsoring this guide.  Thank you also to our working group members for all of their insights and support.