This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 3 minutes read

Outsourcing by asset managers: practical steps to mitigate the cyber security risks of a "one provider" model

We have seen an increasing trend towards asset managers outsourcing their global middle and back office services to one provider. In some cases, these service providers are also providing a consolidated offering that includes front office as well.

These global outsourcing arrangements drive efficiencies in terms of price, operations and expertise that can benefit both the asset manager and the underlying funds. They also give asset managers and the funds the opportunity to benefit from robust, and often substantially improved, legal provisions that can have a significant impact on day-to-day operations. For example, an asset manager is likely to be in a stronger position to negotiate improved liability provisions as well as detailed protections such as remediation, audit, implementation, benchmarking, change control and governance arrangements. These in turn support the asset manager’s oversight of the provider and give the asset manager tools that it can exercise in the event that issues arise during the term of the arrangement.

There is, however, a question over the risks associated with a consolidation of assets under management with one service provider, particularly where providers are offering multi-client platforms and solutions.

An example of one of these risks is cyber security. The benefits of a “one provider” outsourcing model can be huge but asset managers must ensure that they guard against, and do all they can, to prevent digital failure and to work alongside providers to ensure the robustness of their systems and controls.

A key part of this will be ensuring that the outsourcing agreement includes extensive rights and protections for the asset manager in relation to cyber security. In line with their regulatory obligations, we have set out below some steps that an asset manager looking to appoint a provider of front, middle and/or back office services will want to consider.

  1. Due diligence
    • Before entering into an outsourcing arrangement, asset managers should conduct appropriate due diligence on the service provider's operations and expertise. This should include considering the operational risks related to the outsourced function to ensure that the service provider is suitable, as well as any technical and organisational measures that the provider has put in place to protect any personal or confidential data.
    • If gaps have been identified as part of the due diligence phase, the outsourcing agreement should clearly set out these gaps and include obligations on the provider to remedy any gaps.
  2. Business continuity
    • Asset managers should ensure appropriate contingency arrangements are in place to allow business continuity in the event of a significant digital failure or loss of services from the service provider, that may be as a result of a cyber attack.
    • If the outsourcing is on a global multi-service basis, asset managers should consider whether there needs to be separate contingency arrangements in each jurisdiction or for each service category.
    • The outsourcing agreement should set out requirements on the service provider in relation to the maintenance and implementation of its business continuity plan(s), as well as requirements in relation to regular testing.
  3. Audit
    • Asset managers should ensure that they (and their regulators) have effective access to information and data related to the outsourced functions and activities.
    • The outsourcing agreement should set out the details behind an asset manager’s right to conduct audits, including the frequency of those audits. Asset managers may also want to consider including a right of audit in the event of a serious digital failure, such as a cyber attack.
  4. Remediation
    • Asset managers should consider what remediation obligations should be included in the outsourcing agreement in order to remedy a digital failure. This may include, for example, enhanced oversight of the provider and, if appropriate, the right to step-in in the event of a serious failure.
  5. Termination
    • If the digital failure is serious enough such that it causes a material breach, asset managers should include rights to terminate the arrangement.
    • If the outsourcing is on a global multi-service basis, asset managers should consider whether a right to terminate should relate only to the affected service category or jurisdiction.

There are of course lots of other steps and legal protections that can be built into an outsourcing arrangement to deal with a number of different types of risks. Asset managers should ensure they consider each of the risks and the appropriate protections before entering into a critical outsourcing arrangement.


financial services, institutional asset managers, investment management, digital defence, commercial