Global regulators IOSCO illustrate Asset-Manager Cyber Risk

A recent report by the International Organization of Securities Commissions (IOSCO) illustrated an asset manager's cybersecurity risk assessment with a table of real-world threats. The table highlighted main potential cyber security risks for asset managers and rated each by the level of impact to the firm.

Practically speaking, IOSCO's highlighted threats and approach can be adopted and used by asset managers of any size and may be the best means to evaluate and evidence a firm's cyber risk. 

A table or matrix may already be in use for other aspects of compliance; however this example may urge firms to incorporate cyber security into it as well. It would be prudent for asset managers and investment advisers to take notice of the approach and review IOSCO's report.

Guidance

The IOSCO report was a coordinated effort, bringing together insights and perspectives from IOSCO’s various policies, stakeholders and regional committees on the topic of cyber resilience. 

The report, 'Cyber Security in Securities Markets – An International Perspective,’ covered the main regulatory issues and challenges related to cyber security for relevant segments of securities markets. IOSCO also reviewed different regulatory approaches related to cyber security and the potential tools available to regulators to respond to the cyber risk while highlighting practices that have been adopted by market participants and emerging trends in cyber security.

The SEC has made cyber security an exam priority, releasing risk alerts and guidance over the last few years. In a recent risk alert, the SEC re-emphasized its cyber security concerns. The alert highlights six areas of focus for its second round of cyber security examinations and includes a sample examination request letter.

The IOSCO report echoes many of the same concerns as the SEC's recent alert, specifically the SEC's first; governance and risk assessment. 

Approach

A table or matrix can be a great tool for establishing the evidence of compliance and organizing compliance calendars. In specific, investment advisory firms have been using this format to help establish a culture of risk management with a mapping of risks to formulate the general risk assessment process. The IOSCO report shows this can be adapted into cyber security as well.

A typical table or matrix will identify the risk, determine its impact, likelihood and priority; create a procedure to mitigate the risk; and perform forensic testing to ensure that the firm's measures are reasonably effective.

Evidence of compliance is often a challenge for many investment advisers for many facets of the compliance program. Many firms have found using a table, matrix or even calendar with periodic testing and updates can be the best tool to show evidence. The SEC has also used a matrix to show what may be expected of advisory firms when it comes to a general risk assessment; a scenario was presented at the