Cyber security and GDPR for independent asset managers.
All the world is talking about topics, such as cyber-risk, new EU privacy regulation, and other buzzwords. A feasible question that may arise in this context is, whether the situation has changed in the recent years or whether resourceful consultants and solution providers were seeking new business and therefore invented a hype in those areas. An undisputed fact is that “everyone” who intends to show up-to-dateness carries the buzzwords, like labels, on her or his business card, Linkedin profile, etc. But, is this the only trigger for the hype? No: it is difficult to ignore the headlines of newspapers, news-broadcasts, and other media, reporting about hundreds of millions of Euros, Dollars, CHF of losses, caused by cyber-attacks, such as ransomware/cryptolocker or distributed denial of service attacks.
In earlier days, say, ten years ago, the targets of cyber-criminals were the big global players in business or public administration. Nowadays, the cyber-attacks are highly industrialized, allowing to scope-in thousands or even millions of targets at once – independent of size. Additionally, cyber-criminals are able to spear-point individuals around the globe, without knowing them in reality, but with detailed information about their lives, tracked with open source intelligence tactics. Thus, everyone and every business is a target – independent of size or context. A similar situation can be observed regarding the general data protection regulation of the EU (GDPR). Almost every business will have to comply with it, e.g., because of offering products or services to persons in the EU. The few ones that succeed in avoiding this, by strictly limiting the offering to a Swiss domestic clientele, will still not escape the fundamental change in the data protection regime. The reason for this is that the Swiss data protection law is currently changing too. And it must be expected that the Swiss law will almost be a copy of the EU legislation. Thus, as well here, large developments lie in front of us.
The risk in such changing times is that requirements for change are not clear or the implementation turns out to be more complex than expected. What is needed here is pragmatism, combined with well-versed support. The task for the individual company remains to select the fittest supporters on this journey. It is not important that a potential advisory client knows the topic inside-out. What is essential, however, is that there is a mutual understanding, trust, and transparency when collaborating in order to reach the goals.
About the author:
Rainer Kessler is associated partner of management & advisory services mas, and consults in the area of operations, technology and information governance, risk, compliance, assurance, and security in multiple sectors, with special focus on financial industry, public administration, and defense.