If firms do not step up their cybersecurity management practices, the French authorities might be compelled to look to the law. This was the conclusion of the third series of short thematic inspections (SPOT) carried out by France’s financial regulator Autorité des Marchés Financiers (AMF) on five medium-sized asset management firms. The tests analysed the cyber risk management practices of the participants as part of a larger risk mapping exercise in preparation for the implementation of the European Digital Operational Resilience Act (DORA).

The recent tests were a continuation of two initial exercises, the findings of which were published in 2019 and 2021. Risk was defined as “the result of a potential malicious attack on the availability, integrity or confidentiality of hosted data, or against the traceability of actions performed within the information systems of the establishments on the panel”.

AMF focused on services offered by IT providers, especially those in cloud computing, as well as on the IT channels used for exchanging sensitive data with partners of the participating firms. Three main areas pertaining to cybersecurity were examined: the organisation and governance of cybersecurity, as well as the associated procedures; the selection and contracting process with IT service providers and partners; the overall control system.

Not good enough

The findings revealed that most of the companies in the study had carried out exhaustive risk mapping for their sensitive IT partners, but not for others. This resulted in a lack of necessary supervisory tools to ensure that employees used “appropriate IT communication channels depending on the level of sensitivity of the data exchanged”.

In addition, the firms were found to be taking a more reactive than proactive approach to cyber risks associated with outsourced services. This is not consistent with the approach advocated by DORA, which recommends a balance between reactive and proactive measures.