EFAMA updates its key cyber-prevention standards for investment management companies

The European Fund and Asset Management Association (EFAMA), supported by investment fund associations from around the world, has updated its key cyber-prevention standards for investment management companies. This forms part of a global initiative led by the International Investment Association (IIFA).

The update, published on 28 October 2020, is published exactly one year to the day since the original principles were issued.

The six original recommended principles that firms should apply to minimize the likelihood of cyber incidents were:

Establish an overarching cyber-security framework,
Conduct cyber-risk awareness training with company staff,
Have an incident response plan,
Conduct tabletop exercises to “test" such response plans,
Establish and monitor normal network activity, and
Participate in trusted information sharing networks.

The updates are in the form of best practice on:

Business Continuity Planning,
Information Technology Controls,
Inventory and Control of Software & Hardware,
Principle of Least Privilege,
Work From Home Considerations, and
Secure Configuration

Gibraltar's DLT regulation already encourages such best practices so these updates will not be completely new or surprising to practitioners working in financial services in Gibraltar.

The full update can be found here: https://cdn.ymaws.com/iifa.ca/resource/collection/7E6F564B-BA71-4A64-9B05-71FC7434D7F8/IIFA_Additional_Cybersecurity_Program_Basics__October_2020_.pdf

"EFAMA is pleased to support this IIFA initiative. In fact, our Management Companies Regulation and Services Standing Committee identified cybersecurity and operational resilience as priorities, which is why we have decided to set up a dedicated working group on cyber resilience to allow EFAMA to engage actively in upcoming and important policy discussions" - Federico Cupelli, EFAMA Senior Regulatory Policy Advisor.

Aaron Payas, CFA

Head of Investment Funds, Partner