The Austrian Financial Market Authority (FMA) today published its Guides on IT Security in Investment Management Companies and Investment Service Providers respectively. These Guides conclude the FMA’s initiative as an integrated supervisory authority to create uniform frameworks for digitalisation for all areas of the financial market. In May and June of this year, its published corresponding Guides for the banking and insurance industries. “It is important for us to use these Guides to establish transparent and uniform standards for the entire Austrian financial market”. Customers must be able to be sure that their data is protected against misuse and that the digital services offered are available on a continuous basis, regardless of whether it is a bank, insurance company or an investment firm providing the service,” commented the FMA’s Executive Directors, Helmut Ettl and Klaus Kumpfmüller. IT Security is one of the FMA’s thematic focuses for 2018, both with regard to supervision as well as to on-site inspections.
The digital processing of data and processes are also becoming increasingly important in connection with investment in securities – whether it be in relation to investment advice, the management of individual and collective portfolio, or in the settlement of transactions. The significance of IT risk is also increasing as a result of the increasing use of digital technologies. The Guides explain the FMA’s expectations in relation to IT security, and thereby provides the investment industry with a transparent framework for extending its digital offerings in relation to portfolio management and the distribution of securities. They are aimed at Alternative Investment Fund Managers (AIFMs), corporate provision funds, Managers of Investment Funds and Real Estate Fund as well as providers of investment services.
The FMA once again applies the principle of proportionality with regard to its supervisory requirements in these Guides. A higher degree of risk is associated with increased requirements for IT security. In the implementation of the Guides, the nature, scale and complexity of the activities and the risk structure of an institution may be taken into account on an individual basis.
The following areas are addressed:
- Entities must manage IT risks within an IT strategy, and must establish the necessary IT governance for this purpose and must draw up internal security policies.
- Entities must have Information Security Management in place. Dependent on the entity’s size and risk entailed, this may also entail the appointment of an information security officer. Ensuring the integrity and confidentiality of the data administered by the entity is a material component of Information Security Management.
- IT emergency management, must also ensure the availability of IT systems and services even in the event of disruptions.
- When outsourcing IT services – also to cloud service providers – entities must ensure that third-party providers guarantee a comparably high level of IT security. This also applies when services are outsourced within a group of entities.
- In addition, the guidelines also explain that investment service providers that work together with tied agents or securities brokers must also ensure that client data that is made available to them is adequately protected.
- Equally investment management companies must also ensure that the customer information that they submit to a custodian bank, are also securely stored there.
The complete text of the “FMA Leitfaden IT-Sicherheit Verwaltungsgesellschaften” (FMA Guide on IT Security in Investment Management Companies) and the “FMA Leitfaden IT-Sicherheit Wertpapierdienstleistungsunternehmen bzw. Wertpapierfirmen” (FMA Guide on IT Security in Investment Services Providers and Investment Firms) can be found on the FMA website (currently in German only) at:
https://www.fma.gv.at/fma/fma-leitfaeden/
Journalists may address further enquiries to:
Mr. Stefan Maier
+43/(0)1/24959-6001
+43/(0)676/882 49 426