L’AMF publie la synthèse d’une troisième campagne de contrôles thématiques sur les dispositifs de cybersécurité des sociétés de gestion

The AMF has released a summary of its third thematic cybersecurity controls on asset management companies, emphasizing the significance of cyber risk in its risk mapping. The assessment is aligned with the impending implementation of DORA. The AMF focused on examining the cyber risk supervision mechanisms of five establishments in their relationships with key IT service providers and partners. Encouraging companies to strengthen their cybersecurity measures, especially in connection with cloud computing services, the AMF advocates a proactive approach to addressing cyber risks.
In the present round of SPOT controls, following previous analyses in 2019 and 2021, the AMF scrutinized the cybersecurity practices of five medium-sized asset management companies. Cyber risk was defined as a potential malicious threat to the availability, integrity, confidentiality of data, or traceability within the information systems of the panel’s establishments.
The AMF scrutinized critical IT service providers, emphasizing cloud computing. The evaluation extended to information exchange channels with various partners. The SPOT panel, comprising diverse companies, assessed cybersecurity, procedural frameworks, and internal controls. Technical tests on information systems were excluded. Key focus areas included cybersecurity organization, procedural frameworks, selection processes, and internal controls.
The AMF observed that while most companies had mapped their sensitive IT providers comprehensively, including risk assessments, a similar mapping was lacking for other partners. Consequently, companies failed to implement necessary tools to ensure the systematic use of appropriate information exchange channels based on data sensitivity.
The AMF also noted insufficient consideration, during the selection and contracting phase, of criteria related to the robustness of cybersecurity, incident management, and business continuity associated with the services provided. Despite this, companies in the panel conducted post facto controls assessing the effectiveness of these measures through user verifications and periodic or continuous checks, including technical tests.
The controls revealed persisting standard anomalies, indicating a reactive rather than proactive approach to cyber risks associated with outsourced services. This approach contradicts the principles outlined in the upcoming DORA, effective from 17 January 2025, which advocates a balance between reactive and proactive measures. The conclusion of this third SPOT control series marks the end of the educational phase initiated by the AMF in 2019 regarding cyber risks. Any ongoing weaknesses identified in this synthesis and the previous two may lead to regulatory actions.
Of note, this document serves neither as a position nor a recommendation but highlights observed practices during controls, emphasizing compliance or non-compliance with cybersecurity regulations. Regulatory reminders specified in the section’s insets represent identified shortcomings in the controls of the panel’s asset management companies.