The AMF publishes the results of a new series of thematic inspections of the cybersecurity systems and processes of asset management companies

After an initial exercise, which conclusions were published in December 2019, the AMF has examined the systems and processes put in place by six other institutions, backed by intrusion tests. Good practices and points to watch have been identified into a summary document.

As part of a new series of thematic short inspections (SPOT), the AMF analysed the operational practices of five mid-sized asset management companies in order to address the risk of malicious attack on the availability, integrity, confidentiality and traceability of their information systems. Its findings have been enhanced with observations from a standard inspection performed upon a sixth asset management company, specialised in private equity.

The regulator's main points of attention targeted:

• organisation and governance of cybersecurity systems and processes;
• coordination of sensitive IT service providers;
• cybersecurity incidents management;
• supervision of processes for remote access to the information system.

The study period from 2017 to 2020 enabled the analysis of the cyber-risk management system put in place during the first lockdown, including the activation of business continuity plans as well as the enhanced supervision of employees' remote connections process. Furthermore, the AMF completed its examination with intrusion tests delegated to a service provider accredited by the French national cybersecurity agency, ANSSI.

In its summary, the AMF observes that asset management companies have reinforced their cybersecurity organisation and governance. Among the good practices noted appear the appointment of a dedicated manager from the executive committee to handle cybersecurity topics, the implementation of regular awareness-raising campaigns for employees, and the inclusion of cyber risks into risk mapping and control plans.

However, progressive cybersecurity strategy formalization, already observed in 2019, remains incomplete due to non-prioritization of sensitive data / critical systems classification and mapping. Furthermore, regarding the raising volume and sophistication of cyberattacks observed by the AMF, the management and control of interactions between asset management companies and their external IT service providers must remain a priority when defining security measures.

About the AMF
The AMF is an independent public authority responsible for ensuring that savings invested in financial products are protected and that investors are provided with adequate information. The AMF also supervises the orderly operations of markets.Visit our website https://www.amf-france.org

• Summary of SPOT inspections on cybersecurity systems of asset management companies No. 2