As investment managers rely more heavily on technology, their exposure to cyber-attacks continues to rise. Regulators are responding by tightening and updating rules and guidelines to ensure financial sector ICT systems can withstand increasingly sophisticated threats.

There is no universal solution to cyber risk. Each investment manager should tailor its preparation and response to its business model, scale and resources. With that in mind, the Guide sets out the key considerations that investment managers should work through to prepare for, and respond to, cyber threats or operational disruptions, so they can remain effective and trusted stewards of client assets.

The Guide is designed to help those responsible for implementing and overseeing an investment manager’s cyber security programme understand the threat landscape and determine what is most relevant to their business. It distinguishes between foundational security measures and more advanced defensive techniques, helping investment managers determine the level of protection that fits their needs.

It aims to support investment managers as they:

• identify their critical assets and the threats targeting them;
• assess their cyber security objectives in line with their risk tolerance; and
• evaluate whether their governance, policies and procedures are fit for purpose.

AI is rapidly reshaping cyber security, accelerating threat detection and incident response, while simultaneously enabling criminals to launch more personalised, scalable attacks. A new Section 2 examines AI’s growing impact on the cyber domain.

The core of the Guide outlines what is required to build, operate and maintain an effective cyber security programme. Section 3 covers key considerations for an effective cyber security programme, such as executive engagement, regulatory compliance and governance. Sections 4, 5 and 6 address policies, employee-related considerations, threat prevention, threat detection and the choice between in-house and third-party technology solutions.

As with any operational risk framework, the work does not end once the programme is documented, and initial training is complete. Section 7 highlights the importance of ongoing cyber programme testing.

Finally, Section 8 explores the evolving threat landscape, profiling different types of attackers and offering real-world examples of the risks investment managers face today