Updated Cyber Security Program Basics for investment management companies

As part of a global initiative led by the International Investment Funds Association (IIFA) and supported by investment fund associations from around the world, EFAMA is glad to present the 2020 updates to the 'IIFA Cybersecurity Program Basics', a document that lays out the key cyber-prevention standards for investment management companies. The commonly-shared principles that firms should apply in order to minimize the likelihood of cyber incidents were originally launched on this day last year. These six principles are recommended to any firm looking to adopt cyber-hygiene standards, or improve their existing ones:

1. Establish an overarching cyber-security framework
2. Conduct cyber-risk awareness trainings with company staff
3. Have an incident response plan
4. Conduct tabletop exercises to test" such response plan
5. Establish and monitor normal network activity
6. Participate in trusted information sharing networks.

In light of the concerns raised by the Covid-19 global pandemic in the course of 2020, the IIFA's Cybersecurity Working Committee today presents the following updates to the above core principles in the form of best practices:

1. Business Continuity Planning
2. Information Technology Controls
3. Inventory and Control of Software & Hardware
4. Principle of Least Privilege
5. Work From Home Considerations
6. Secure Configuration

The document includes useful links to publicly available resources that firms can refer to when implementing the above best practices.

EFAMA believes this document will be of particular added-value to small-sized investment management companies, as they may lack the resources needed to fully meet the more demanding international standards (e.g. ISO, NIST, CPMI-IOSCO).

This initiative is complementary to a number of other cyber-security initiatives undertaken by EFAMA under the aegis of the International Organization of Securities Commissions (IOSCO), including the IOSCO AMCC 2020 Global Cybersecurity Asset Management Survey.

EFAMA is pleased to support this IIFA initiative. In fact, our Management Companies Regulation and Services Standing Committee identified cybersecurity and operational resilience as priorities, which is why we have decided to set up a dedicated working group on cyber resilience to allow EFAMA to engage actively in upcoming and important policy discussions, such as the European Commission's recent proposal for a Regulation on digital operational resilience and amending Directive as part of its Digital Finance Strategy for the EU ", commented Federico Cupelli, EFAMA Senior Regulatory Policy Advisor.