Irish fund boards are putting plans in place to ensure they can deal with both internal and external cyber security breaches.
Following the publication of best industry practices last year, boards have taken several measures to make sure they can manage and mitigate the risk of cyber attacks.
In September 2015 the Central Bank of Ireland sent a letter to the fund industry, issuing guidance on cyber security policies and governance.
The central bank’s guidelines put cyber security “front and centre” in the suite of fund board governance activities, where historically it would not have been a key focus, says Oisin McClenaghan, a partner at law firm Matheson in Dublin.
The letter has spurred fund boards to adopt their own policies and review the policies of their partners, such as investment managers, custodians and, depending on the corporate structure of the fund, distributors.
Mr McClenaghan says: “[In the past few months] fund boards have been receiving presentations from their various service providers, administrators, custodians, depositaries [and] investment managers on their own internal cyber security policies.”
Cyber security is becoming a standing item on the fund board’s agenda, while directors are also asking for cyber security breaches or attempts to be brought to their attention in periodic reports rather than on an annual basis, which was the case previously.
“Many [fund] boards are insisting on a short paragraph disclosure giving [it] an update on cyber security issues,” says Mr McClenaghan.
Rowena Fitzgerald, partner at Mason Hayes & Curran, says the law firm has seen a “marked increase” in requests from all corners of the fund industry for cyber security advice, thanks in large part to the central bank’s intervention.
However, “imminent changes” to EU privacy legislation, including the General Data Protection Regulation, and legal action following data breaches are also contributing to the mix, she says.
“Board attention to this topic is high and we don’t expect that upward trend to cease anytime soon, particularly in light of the central bank’s letter,” she adds.
The letter means that all firms including fund managers are expected to have in place cyber security policies with appropriate oversight, says Ms Fitzgerald.
“This has meant that fund managers are devoting more resources and attention to cyber security as a risk to their business and their customers,” she says.
Ms Fitzgerald adds that fund managers must be able to show how they document, deal with and mitigate cyber security risks to their businesses.
Colin Tankard, managing director of data security specialist Digital Pathways, says there has been “a weakness internally around governance and reporting into governance”, which has “raised its head over the past eight to 10 months”.
“What we see is that the governance people within organisations are being exposed now,” he says.
“Organisations that trade on instant decisions have [not] put effective controls in place because they see security, a lot of the time, as a speed bump for doing business.”
This also explains why those in charge of governance are kept “in the dark when things go wrong”, he says. “We see that time and time again,” says Mr Tankard.
Alongside weak spots around governance Mr Tankard also warns that the nature of attacks is changing.
“[We are] seeing attacks increasing on mobile phone or end point much more. A lot of organisations are not really addressing that,” he says.
“The boundaries of company networks are so fragmented, so open, that the old traditional protections in place aren’t any good any more,” says Mr Tankard.
However, upcoming data security regulations, such as the UK regulator’s directive for recording calls and the EU’s GDPR, are expected to put “more controls on”, he says.
He says: “Companies need to go broader. I think that’s what a lot of these directives are talking about – just having verification, questioning and challenging internal organisations and resources.”
Consultancy firm PwC recently warned that asset and wealth managers need to make cyber security a priority as it lags behind other segments of the financial services industry.
The PwC and Confederation of British Industry financial services survey says investment managers are falling short when it comes to penetration testing, incident response mechanism testing and collaboration with partners against cyber threats.