As players in a globalised and technologically-driven financial services industry, asset management companies face cyber-security risks on a daily basis. Cyber-attacks aim mainly at obtaining, or restricting access to, sensitive data, related to clients and/or to portfolio construction and composition, trading and risk management, among other asset management functions. Recognising the global, pervasive and ever-changing nature of such threats, asset management companies have responded by adopting a variety of preventive measures to protect their clients, as well as their own business and reputation. These are modelled on existing and independent international standards for information security – particularly, the NIST, the COBIT and the ISO/IEC 27000 family standards - and are furthermore recognised and supported by the supervisory community of IOSCO as a whole. We believe it is therefore of paramount importance that such international standards be recognised ex ante and serve as a blueprint for the Commission’s cross-cutting legislative review where relevant.
From this important preamble, our response develops EFAMA’s views for each of the five main sections of the Commission’s questionnaire, as follows:
- On ICT and security requirements, we reiterate the importance of existing cyber-security standards and caution the Commission against too rigid or prescriptive legislative solutions, which could ultimately also fragment global markets and harm the European asset management industry from a competitiveness standpoint;
- On ICT and security incident reporting requirements, EFAMA supports the development of a harmonised reporting template for individual companies to report incidents to their competent national cyber-security authorities. The latter should be the exclusive recipients of such information, in view of their technical expertise and confidential communication channels offered. With incidents being reported more consistently as a result, these specialised authorities should be encouraged in turn to present our broader industry with cyber-intelligence threat updates in view of improving prevention and detection;
- On digital operational resilience testing frameworks, we believe that sufficient resilience testing frameworks already exist in the form of requirements stemming from the aforementioned global standards. As a necessity, resilience testing in the form of “table-top” exercises must involve one or more (depending on core business location) competent national cyber-security authorities. The involvement of other public bodies should be strictly conditioned by their expertise and supervisory remit over asset management companies. In this regard, we strongly caution the Commission against entrusting the design and conduct of cyber-testing frameworks for our industry to pan-EU bank or macroprudential supervisors (i.e. ECB/SSM and ESRB);
- On addressing third party risks and their oversight, EFAMA is supportive of the Commission’s approach to proceed through a general set of principles to orient financial market players when selecting third party service providers. Again, existing global standards (e.g. the ISO/IEC 27000 family) should serve as a model. In addition, we invite the Commission to consider a basic form of certification to be recommended for a category of third parties that the contracting company deems “critical” to its business. Typically these are providers with a dominant market position for their services, wielding unique technical expertise and significant pricing power. Experience has revealed 3 / 8 instances where such companies have refused to be audited by their contracting clients (including asset management companies), rendering an ex ante and ongoing assessment of their cyber defenses difficult, where not impossible. Our considerations are also extended to potential business disruptions (e.g. in the form of sudden data cut-offs);
- Finally, on other areas where EU action may be needed, we favour the development of initiatives to foster more cyber-threat intelligence sharing among industry peers, as well as the gradual development of cyber-insurance policies.