On 10.11.2022, FINMA published its 2022 Risk Monitor. It provides an overview of what FINMA believes are the most important risks that supervised institutions are facing today. One of the key risks, amongst interest rate risk, credit risk, market risk, AML, and market access to Europe, are Cyber Risks.
We would like to share with you the top 4 internal controls regarding Cyber Risks you have to have in place as an asset manager, no matter whether you are operating under the direct supervision of FINMA or are subject to supervision by a supervisory organization (SOs).
Control 1: Annual IT-Risk-Self-Assessment
At least annually, ensure your IT-Responsible(s) carry out an IT-Risk-Self-Assessment. Ideally, this is required by your IT-Security Policy. The assessment should be carried out with a standardized questionnaire to track changes (improvements) over time. After completion, ensure the results are discussed with top management, action plans are developed and implemented in due time.
Be aware that it also applies if you have outsourced your IT or any other services completely or partially. With respect to outsourced activities: make sure, you periodically review the IT-Security-Setup of your external partners. Their security issues might become yours very quickly. The best way to cover this task is to initiate a separate control covering your outsourcing risks (on-boarding, instructing /review / monitoring, off-boarding of outsourcing partners).
Control 2: Annual Disaster-Recovery Test
At least once a year, ensure you actually do carry out at least one properly designed and carefully planned disaster-recovery test (your BIA can give you hints on what to look out for or what to test) with a complete protocol of events, findings and actions to be taken. Disaster-Recovery Plans look nice on paper, but can proof to be very useful.
Control 3: Review of IT-Security Policy
At least annually, you should review your IT-Security Policy and potentially take into account findings from your IT-Risk-Self-Assessment and your Disaster-Recovery Test. For all your policies, set an expiry date. This forces you to review and reapprove them.
Control 4: Cyber Risk Awareness and Training
At least every 6 months, ensure all your staff undergoes an IT-Security Awareness-/Training session. In general, the weakest link in your IT-Security-Setup is human. Walk your team through your IT-Security-Policy, elaborate on past incidences, tell them how to report incidences, how to act if in doubt. Instead of the HR Departement, identify an expert to carry out these sessions.
Also, make sure all your employees, in particular your executives are fully aware of the “FINMA Guidance 05/2020” (Duty to report cyber-attacks pursuant to Article 29 para. 2).
In case you have outsourced your IT or any other services, ensure your outsourcing partners are aware of this FINMA guidance and fully understands its implications. It’s your duty to properly instruct them.
These four controls cover the basis. It’s a good starting point for more elaborate, maybe more technical and process-oriented controls further down the line.