The asset management industry suffers from a lack of expertise and preparedness with regard to cyber security, and is risking “serious harm to its clients” and the wider market, the FCA has warned.
In a multi-firm review of the asset management and wholesale banking sectors, the Financial Conduct Authority (FCA) also found an over reliance on third-party service providers and a lack of understanding of cyber risk from board and management level individuals.
The firms selected varied in size, scale, operating models and geography, with the asset managers polled ranging from £15bn to £500bn in AUM, according to the regulator.
The report found that boards and management committees “have limited familiarity with the specific cyber risks their organisations face”, while “almost all” board members told the FCA “how challenging it was to fully understand and explain the specific risks that their firms face”.
As a result, the FCA found limited understanding of how poor cybersecurity could “affect business activities and lead to harm to clients and the wider markets”.
The FCA explained: “Not all firms appeared to have considered the risk that their firm may be used as conduits to damage other firms or connected infrastructure.
“Nor had they considered the risk that attacks may be motivated by attempts to commit market abuse.
“We saw limited evidence of firms proactively trying to ‘connect the dots’ between cyber and other conduct issues which may occur through cyber channels, such as market abuse and financial crime.”
Many of the firms reviewed blamed this lack of cyber preparedness on their size, low risk-profile or “the limited availability of that skillset in the wider independent non-executive director population”, the FCA added.
However, beyond board level, the FCA also found “limited technical cyber-expertise” within the risk and compliance functions.
The regulator said: “All the firms we met said both the limited availability of second line risk and compliance professionals and the shortage of relevant cyber-expertise in the market more broadly was a challenge for them.”
To combat this many firms have over-relied on third party service providers, which the FCA warned “could affect [a] firm’s development of its own in-house cyber capabilities and the longer-term abilities of the board to objectively assess their firm’s cyber and control environment”.
The FCA added: “Data and information about products, clients and business services are central to asset management and wholesale banking activities.
“A significant failure by a firm in these sectors to manage cybersecurity effectively could cause serious harm to its clients and to the markets in which it operates.”
This is reproduced from Professional Adviser; all views are from the publication. This originally appeared online on 11 December 2018.