How asset managers can mitigate cybersecurity risks associated with outsourcing

Dec 19, 2019 5:18:12 PM

As technology moves at a faster and faster pace, the opportunities for outsourcing increase and become increasingly tempting. Asset managers may not, at this very moment, be beavering away coding the next killer asset management app themselves. It is very likely however, that someone, somewhere is doing it for them.

Indeed, perhaps the next ‘killer’ app is here already. As mundane as it may sound, the proliferation of highly effective, highly integrated, middle and back office systems may be the invention that has benefited asset managers the most since email arrived in the 1990s. Speak to an asset manager who has a single provider of their integrated back, middle and front office systems and suggest they perform their role without it, and you will receive something approaching a horrified look.

But as with almost any benefit, there comes regulatory risk. Outsourcing is addressed specifically in the FCA’s Handbook (SYSC 8 and again in SYSC 13.9) and the definition is broad. The outsourcing of functions that are “critical for the performance of [the firm’s] regulated activities” comes with particular regulatory impact. Data storage, portfolio administration, valuations, reporting and software that is critical to day-to-day operations are all likely to meet the definition of ‘critical’.

Clearly a major part of this regulatory attention is cybersecurity. With the benefit of the systems in question comes the risk of putting all of your eggs in one basket. The basket holder is required to do everything to ensure the basket does not break.

Consider the following areas that are likely to help mitigate the risks and fulfil regulatory obligations.

An outsourcing agreement for all outsourced arrangements

All outsourced arrangements for critical functions will need to have in place a formal agreement. This should detail a range of factors to assist asset managers in managing risk. When it comes to cybersecurity there should be extensive rights and protections, which will probably highlight elements such as the fact that cybersecurity is the software provider’s express responsibility.

Carrying out thorough and documented due diligence

As with any arrangement of this sort, proper evidence of thorough due diligence will be needed. This should include an assessment of the provider’s technical expertise and the lengths they go to to protect confidential data.

Monitoring performance and auditing

There will need to be an appropriate mechanism for monitoring the performance of the provider when it comes to cybersecurity. Including a right to audit in his mechanism gives firms the right to carry out in-depth investigations at times of increased risk, such as moments in time where cyber-attack is particularly likely or prominent.

Ensuring business continuity

Where the system in question is part of a firm’s day-to-day operations, as it is likely to be, thought and provision should be given to what would happen in the event of the system being unavailable. This applies to both the asset manager and the provider. The asset manager needs an internal continuity plan and the outsourcing agreement can feature requirements for the provider in maintenance, testing and their own business continuity planning. 

Remediation and termination

In the event of a major cybersecurity issue, firms are likely to want to protect themselves by way of appropriate remediation and the right to terminate any existing ongoing financial agreement. Remediation may not only be fiscal in nature, but also include altering the terms of the agreement and expectations placed upon the provider’s future performance.

You May Also Like

These Stories on News