Founded in Paris in 1920, Gide is a leading international law firm with 12 offices spread throughout the world.
Gide is physically present in six regions of the world, with 11 offices, enabling it to act on cases globally.
16 January 2024
On December 21, 2023, the AMF published the summary of its third campaign of thematic inspections of asset management companies' cybersecurity systems. Since 2019, the authority has sought to examine managers' ability to anticipate and resolve any type of malicious attack on the availability, integrity or confidentiality of hosted data, or against the traceability of actions performed within the information systems, likely to have an impact on their investment funds or mandates they manage, but also on their regulatory obligations and their clients.
Two levels of vigilance are expected. The first concerns the protection of sensitive data entrusted to key IT service providers, including cloud computing service providers. The second concerns any type of interaction, via IT channels and involving sensitive data, that asset management companies may have with other types of partners essential to their activities; in this respect, the AMF refers to depositaries, valuers, custody account-keeper, statutory auditors, business developers and distributors.
This latest inspection of five asset management companies highlighted a number of shortcomings in the cybersecurity measures they should have put in place with partners other than IT service providers. It appears, for example, that supervisory tools concerning employees' use of IT channels for exchanging sensitive data with these partners should already be in use.
In its summary, the AMF also points out the crucial importance of the criteria relating to the robustness of cybersecurity, incident management and business continuity systems during the selection phase (contracting and monitoring) of IT service providers and other partners.
According to the AMF, the outcome of this thematic inspection marks the start of a new era for asset managers. In fact, in order to comply with the European DORA[1] regulation, which will come into force on January 17, 2025, they will have to adopt a more proactive approach, rather than a purely reactive one. In this respect, management companies are expected to comply with key risk management principles and put in place a solid and balanced system (human and financial resources, technical tools, precise risk mapping, internal procedures, permanent and periodic controls, business continuity plan, etc.), both to analyze and resolve incidents, but also to prevent and anticipate them as much as possible.
Digital trust, as embodied in internal cybersecurity policies, contracts with IT service providers and other partners, and controls over these partners and service providers, is thus becoming a major issue for asset management companies, which, in the AMF's view, could be subject to repressive action in the future due to a lack of preparation.
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
