FCA regulation on cyber security and asset management firms
June 1, 2015 - Regulatory Updates
In 2014 cyber security attacks on government establishments and private businesses made headlines. Given the kind of technology that hackers have access to, it is highly unlikely that the frequency of these attacks will see a downward trend. These attacks will not only gain momentum in 2015 but will also become more destructive. To safeguard industries and government organisations against cybercrimes, Financial Conduct Authority (FCA) has come up with stringent regulations. Cyber security firms in particular will have to follow these rules strictly to ensure that their clients’ intellectual and financial assets stay intact.
Along with the cyber security firms, FCA has identified the asset management industry as highly vulnerable in terms of financial crime. The UK’s asset management industry is worth £5tn; however it is not doing enough to prevent insider trading and market abuse. In a survey conducted by FCA it found the only a small number of companies had comprehensive controls in place against market abuse. This situation calls for strong regulations from the watchdog.
Regulations for cyber security firms
It is mandatory for all the companies regulated by the watchdog to comply with the FCA Handbook. The Handbook is a comprehensive document that requires the regulated companies and organisations to establish and maintain systems and controls that help them to meet regulatory standards.
All the regulated cyber security companies should have firm, written policies and procedures with respect to all aspects of “best practices”. These policies should be frequently updated in compliance with the regulatory changes. In addition to this, companies should adopt some standard relating to cyber security like NIST or ISO 27001.
The regulated firms should document their efforts to train employees on information security, phishing and passwords etc. Additionally, the company should have comprehensive due diligence exercises covering counterparties such as the security policies and measures undertaken by third party providers.
Cyber security providers should document the company’s actions taken to detect, log and respond to an unauthorised cyber-related activity. It is also mandated to have a fully documented IT security policy which, among other things should cover actions with former employees who leave the company with passwords/network privileges. In case of a data breach or other cyber-attack, companies should document cybersecurity incident response plan.This plan should categorically specify the person responsible for executing it.
In case of third party providers or overseas vendors, the company should specify the person responsible for the response plan.
Regulations for asset management firms
FCA has decided to adopt stricter norms for asset managers and firms, not to curtail their growth but to stop syphoning of funds and money laundering. This is because the regulator has observed that the asset management firms are good when it comes to identifying formal insider information. These firms are able to put good controls in place when investment banks “wall cross” fund managers. However, these companies are less vigilant about more casual soundings of their employees on potential deals.
The regulator is of the view that asset managers should pay attention to the possibility of receiving inside information through all the channels of investment process and mitigate this risk effectively. The FCA has noticed that only a few asset management firms have effective controls for post trade surveillance which needs to be improved.
The regulations of FCA on cyber security and asset management funds may seem a bit harsh in the beginning; however, these would prove to be a boon for these industries in the longer run. This is because these regulations will save billions of pounds by preventing cybercrimes and money laundering.