For further information on any of the issues discussed in this publication please contact the related contact(s) on this page.
The Central Bank of Ireland (the "CBI") recently published a letter to industry outlining the key findings from their thematic inspection (the "Thematic Inspection") of cybersecurity risk management in asset management firms (the "Industry Letter"). Dillon Eustace's client briefing summarizing the salient points is available here
If you have not already done so, we would encourage you to read the Dillon Eustace briefing, for a more complete overview of the CBI's findings and expectations in this regard.
The Thematic Inspection took place against the backdrop of a working environment that has since changed dramatically, at least temporarily, however its findings are even more relevant with most people working remotely resulting in processes and policies being placed under varying strains. Typically financial services organizations and their service providers might have between 10% to 15% of their workforce working remotely. At present this is more likely to be closer to 95% and consequently the threat of cybersecurity is heightened.
The Industry Letter reminds Investment Firms and Fund Service Providers ("Asset Management Firms") that the responsibility to ensure that cybersecurity is engrained in their firm's governance rests with the board of directors and senior management. A summary of the CBI's non-exhaustive expectations are as follows:
- Cybersecurity Risk Governance: Asset Management Firms should have a "comprehensive, documented and Board-approved IT and cybersecurity strategy".
- Cybersecurity Risk Management: The cybersecurity risk management framework should ensure related risks are identified, assessed and monitored.
- Information Technology ("IT") Asset Inventories: Asset Management Firms must conduct and maintain a thorough inventory of IT assets.
- Vulnerability Management: Vulnerabilities should be assessed on a continued basis and Asset Management Firms should identify both external and internal vulnerabilities and appropriate robust safeguards should be put in place.
- Security Event Monitoring: Security events and incidents should be detected on a timely basis and Asset Management Firms should ensure that all assets containing or processing critical data are monitored.
- Security Incident Management: Asset Management Firms should have a documented cybersecurity incident response and recovery plan in place outlining what actions will be taken during and after a security incident.
The CBI will be following up with individual firms to ensure that they are taking steps to enhance their cybersecurity resilience and to minimise the risk to themselves and to the wider industry from a cyber-attack. It will be particularly important that all firms who delegate key functions to third party service providers are confident that these delegates have in place and adhere to appropriate cybersecurity systems. Boards should be requesting regular updates from these delegates.
Practical examples of cyber-attacks.
In the past, investment funds have experienced cyber-attacks through bogus redemption requests and attempts to circumvent what are usually robust anti money laundering protections.
The creation of elaborate "scam" websites has become an increasingly common threat for both asset managers and investment funds, with several experiencing multiple attacks within a short timeframe. Funds and asset managers have had their names and identities cloned using very sophisticated methods, which in some circumstances has resulted in significant losses arising to unsuspecting investors who have subscribed to the 'cloned' funds on foot of the "scam" website. The fraudsters behind this are luring investors to "scam' websites which promote fake investment opportunities, assets, or shares. In each case, the property or opportunity is either non-tradeable, valueless, unreasonably expensive, or simply does not exist.
In the past few months there has been a noticeable increase in the creation and registration of domain names for financial firms, not of all which will be genuine.
We have set out below a list of practical steps to follow should your asset management firm and/or fund be subject to an illegitimate cloning of your identity. Any additional steps to be taken will need to be considered on a case by case basis.
1. Notify the Board of Directors of the cloned fund.
2. Notify the administrator of the fund and other fund service providers.
3. Notify the Central Bank of Ireland (in the context of an Irish fund/asset management firm).
4. Consider whether any regulatory authorities in other jurisdictions need to be notified (for example, the information on the "scam" website may refer to the cloned firm being authorised by a regulatory authority in another jurisdiction).
4. Notify the Irish Garda National Economic Crime Bureau and, where relevant, the relevant police force within the jurisdiction of any impacted investor.
5. Advise the impacted investor to also separately report the matter to the relevant regulatory authority and police force, as well as notifying their banking institution of any transaction details in the event monies have been subscribed to the 'cloned' fund.
6. Notify the investors in the relevant funds and include appropriate 'alerts' on relevant official websites.
7. Contact the host domain to shut down the fraudulent website.
8. Contact the relevant internet search engine to remove the fraudulent website from its search results.
9. Prepare a cease and desist letter provided that local law enforcement and regulators confirm that this will not result in "tipping off".
10. To the extent possible, purchase domain names similar to those of your firm/fund. This is something which a fund/asset management firm should bear in mind when establishing a fund at the outset.
In addition, some asset management firms have engaged with internal and external forensic teams to combat the cyber threats posed by "scam" websites. Once reported to local law enforcement you should ensure that there is regular follow up to monitor how investigations are progressing.
We would encourage all asset management firms/funds to regularly check that your websites have not been cloned in such a fashion. If a cloned site is discovered, regard should be had to the practical steps outlined above, and prompt action taken.
Originally published 24 April, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.