Cyber and Technology

Overview:

Cyber risk continues to dominate the headlines, placing security issues at the top of businesses and regulatory authorities’ agendas. Alongside the benefits of technological developments, investment managers are faced with a host of new and evolving cyber security threats. Enhancing cyber security and operational resilience plans at organisations is an important focus for regulators globally. 

Current work: 

The European Commission has published a draft regulation on digital operational resilience for the financial sector (DORA). It aims to enable a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an oversight framework for critical ICT third-party providers. The Commission's proposal is currently being scrutinised by the European Parliament and Council.

The Central Bank of Ireland (CBI) has published cross industry guidance on operational resilience. The guidance confirms that a firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.

The UK Financial Conduct Authority (FCA) has published new rules designed to increase and enhance firms’ operational resilience. The FCA consider that cyber resilience is complementary to operational resilience outcomes and require firms to take a holistic approach to their overall resilience. The FCA's rules and guidance will come into force on 31 March 2022.

The U.S. Securities and Exchange Commission (SEC) staff are developing a proposal for the Commission’s consideration on cybersecurity risk governance, which could address issues such as cyber hygiene and incident reporting.

AIMA is updating its Guide to Sound Practices for Cyber Security, due to be released in Q1 2022. The Guide sets out principles that investment managers should consider when developing a cybersecurity programme as part of its overall compliance and operations.

AIMA serves as the global voice of the alternative investment management industry in the digital assets space. AIMA’s work in digital assets is overseen by our global Digital Assets Working Group (AIMA DAWG).

Upcoming actions:

Q1 2022, AIMA to release latest Guide to Sound Practices for Cyber Security.

31 March 2022, FCA rules on operational resilience will come into force.

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangement entered into prior to 31 July 2021.

2023, EU's Digital Operational Resilience Act (DORA) is expected to come into effect.

(Last updated: 1 December 2021)


Other related workstreams

Outsourcing

The increasing use of outsourcing by regulated entities is of growing importance to a number of supervisory authorities. ESMA guidelines on cloud outsourcing came into force on 31 July 2021. The CBI has issued a consultation paper on draft new outsourcing guidelines.

Operational Resilience

Operational resilience is expected to be a key regulatory focus over the coming years. The aim of regulators is to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system. The European Commission has published a proposal for a regulation on digital operational resilience (DORA). The UK regulators' new rules relating to operational resilience will come into force on 31 March 2022.