Cyber and Technology

Overview:

Cyber risk continues to dominate the headlines, placing security issues at the top of the agendas of both businesses and regulators. Alongside the benefits of technological developments, investment managers are faced with a host of new and evolving cyber security threats. Enhancing cyber security and operational resilience plans at organisations is an important focus for regulators globally. 

Current work: 

On 11 April, AIMA filed its response to the SEC's proposed new rules on cyber security, affecting registered investment advisers, registered investment companies and business development companies. The proposed rules would require written cyber security policies and procedures, reporting significant cyber incidents to the SEC, enhanced public disclosures regarding cyber incidents and risks, fund board approval of the fund's policies and procedures and specific recordkeeping.  AIMA prepared a more detailed summary of this proposed rule which is available here.

The European Commission published a draft regulation on digital operational resilience for the financial sector (DORA). It aims to enable a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an oversight framework for critical ICT third-party providers. The Commission's proposal is currently being scrutinised by the European Parliament and Council.

The Central Bank of Ireland (CBI) published cross industry guidance on operational resilience. The guidance confirms that a firm should have ICT and Cyber Resilience strategies that are integral to the operational resilience of its critical or important business services.

The UK Financial Conduct Authority (FCA) published new rules designed to increase and enhance firms’ operational resilience. The FCA consider that cyber resilience is complementary to operational resilience outcomes and require firms to take a holistic approach to their overall resilience. The FCA's rules and guidance came into force on 31 March 2022.

AIMA updated its Guide to Sound Practices for Cyber Security, published in March 2022. The Guide sets out principles that investment managers should consider when developing a cybersecurity programme as part of its overall compliance and operations.

Upcoming actions:

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangement entered into prior to 31 July 2021.

2023/2024, EU's Digital Operational Resilience Act (DORA) is expected to come into effect.

(Last updated: 25 April 2022)


Other related workstreams

Outsourcing

The increasing use of outsourcing by regulated entities is of growing importance to a number of supervisory authorities.

Operational Resilience

Operational resilience is expected to be a key regulatory focus over the coming years. The aim of regulators is to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system.