Originally published by Thomson Reuters © Thomson Reuters

By Siân Dalrymple, Chief Risk Officer, and Ben Le Lay, Group Information Security Officer, at Crestbridge.

Widespread digitalisation has made cyber security a top concern for businesses across all industries. Investment funds, in particular, are at a heightened risk of cyber-attacks due to the sensitive financial data they hold. Protecting this data from cyber threats has become a priority for regulators.

Cyber-security threats include hacking, phishing, ransomware attacks or insider threats, but the exact methods used to target investment funds are diverse and constantly evolving. Investment funds that hold large amounts of financial data are attractive targets for hackers seeking financial gain. Phishing attacks, where criminals trick individuals into providing personal information, can be used to gain access to investment fund accounts.

Ransomware attacks, where criminals encrypt files and demand payment for their release, have become increasingly common in recent years. Business email compromise has also become more common, with criminals using a compromised mailbox to conduct fraudulent activity. Much of this activity points to fraudulent attempts by hackers to gain sufficient information from the fund to then try to gain a monetary advantage.

Regulations and compliance standards

Regulators worldwide have recognised the importance of cyber security and have implemented a wide range of regulations and compliance standards for investment funds. The UK Fraud Act 2006 still applies, as does the Data Protection Act 2018. The Computer Misuse Act 1990 in the UK, Cybercrime (Jersey) Law 2019, and in the United States the 2021 State & Local Government Cybersecurity Act, are also worth noting. The latter is designed to improve coordination between states and federal agencies.

The U.S. Office of Foreign Assets Control (OFAC) is also making it harder for firms to pay hackers for ransomware attacks. There is evidence to suggest that even if hackers are paid to “release” ransomware, information may have already been on-sold/on-shared with other criminals. The UK Information Commissioner’s Office (ICO) is looking at extending its policies to seek recovery under the UK Proceeds of Crime Act 2002.

Protecting sensitive information

Recent cyber-security incidents in the investment funds industry have highlighted the need for effective cyber-security measures. Tesco Bank was fined £16.4 million by the FCA in October 2018 for failures in exercising due skill, care and diligence in protecting personal current account holders against a cyber attack. The attack happened in November 2016. There are many examples of data breaches and fines from the ICO or jurisdictional equivalent, some of which arose from cyber attacks.

The UK Financial Conduct Authority (FCA) has made it clear that “we expect you to be able to protect the sensitive information you hold”; a stance echoed by regulators worldwide. With expectations set, firms must now ensure they are capable of defending themselves against cyber-attacks.

Information audit

The UK FCA suggests, as a general guide, that the foundations of effective cyber-security management start with identifying the information firms hold and understanding why that information is held, and if it is sensitive. Firms must then review who has access to it, and encrypt the data classified as sensitive. The FCA also advises basic maintenance of systems (having software up-to-date and fully patched), proper network configuration (setting the system up to prevent unauthorised access), and maintaining user and device credentials (two-factor authentication, strong passwords and good password controls).

Disaster recovery

Disaster recovery, as part of firms’ operational resilience programmes, is also critical, which means backing up critical systems using immutable back-up systems and regularly testing back-up recovery processes to ensure that services can be restored in the event of an attack. Gaining recognised cyber-security accreditation, such as Cyber Essentials, can also improve the security of the organisation.

The FCA publishes observations from its Cyber Coordination Group and highlights three areas of focus: cyber threats and emerging trends; board engagement and cyber security; and development, security and operations.

Operational resilience

Firms must also comply with new operational resilience rules, which came into force on March 31, 2022. The FCA defines operational resilience as “the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption”. These rules apply to a wide range of financial firms, including banks, insurers, investment firms and payment services providers.

Firms must identify their important business services, set impact tolerances for maximum disruption to these services, map and test their operational resilience and invest in their ability to operate within their impact tolerance. They must also develop internal and external communications plans for when important business services are disrupted and prepare self-assessment documentation.

The FCA’s new requirements build on its existing Operational Resilience Framework, which defines industry practices aligned with its rules and expectations. Financial firms in the UK have until March 31, 2025, to fully comply with the new rules. Other jurisdictions may have different timelines.

Reporting

Financial firms in the UK are required to report material operational incidents to the FCA in an open and cooperative way under Principle 11 of the FCA’s Principles for Businesses and additional rules set out in SUP 15.3. Regulators in Jersey, the United States and Europe have put similar requirements in place. Conducting business activities in an appropriate manner, in line with regulatory requirements including exercising due skill, care, and diligence, is a vital element of firms’ authorisation.

Regulators are likely to expect firms to report incidents that result in a significant loss of data, unavailability or control of IT systems, affect a large number of customers, or result in unauthorised access to information systems. If firms consider an incident to be material, they should report it through the usual channels.

In the UK, dual-regulated firms should also inform the Prudential Regulation Authority (PRA). Cyber attacks usually lead to a loss of data, including sensitive data, and this means that financial services firms must also report such matters to the ICO or local equivalent within the designated timeline (usually 72 hours).

If the hackers have been successful in perpetrating a fraud or have attempted a fraud, firms may need to report incidents to other entities such as Action Fraud or the local police. In the UK, sharing details of the incident on the National Cyber Security Centre (NCSC)-managed Cyber Security Information Sharing Partnership (CiSP) platform can also help other firms combat cyber crime.

Third parties

Incidentally, the FCA, along with the Bank of England and PRA, published a discussion paper in 2022 seeking views on how to oversee the resilience of services provided by third parties, upon which many financial firms rely. The discussion paper contained a section on cyber-resilience testing. It closed to submissions in December 2022 and next steps are subject to the outcome of parliamentary debates on the Financial Services and Markets Bill.

After considering responses to the discussion paper, the FCA plans to consult on its proposed requirements and expectations for critical third parties in 2023.

Cyber frameworks

While there are similarities in the cyber-security regulations across the UK, Europe and the United States, there are also differences in approach. For example, the UK and Europe have implemented the General Data Protection Regulation ( GDPR) through jurisdictional data protection acts which focus on the protection of personal data.

The United States does not yet have a similar regulation in place (although it is moving in that direction), but has issued guidance on cyber-security risk management. Meanwhile, the UK and EU’s regulatory landscapes are likely to diverge further, the more time passes.

Fund managers may therefore face challenges in complying with regulations across multiple jurisdictions. By implementing a comprehensive cyber-security risk management program that meets the requirements of all relevant regulations, however, fund managers can streamline compliance across multiple funds and jurisdictions. The National Institute of Standards and Technology (NIST) or the NCSC Cyber Assessment Framework (CAF) provide excellent cyber frameworks.

Effective cyber-security risk management is crucial to protect investments in the investment funds industry. Investment funds must be aware of the cyber-security regulations and compliance standards applicable to their jurisdiction and implement effective measures to identify and manage cyber-security risks. By doing so, they can safeguard their clients’ financial data and protect their investments from loss or cyber threats.

By Siân Dalrymple, Chief Risk Officer, and Ben Le Lay, Group Information Security Officer, at Crestbridge