Fund management company executives and directors play a key role in helping asset managers address cybersecurity. As the financial, operational and reputational costs of cyber risk continue to increase, good collaboration between fund managers, cybersecurity officers and boards of directors is essential for effective cybersecurity oversight.
Accelerating rule creation
The Securities and Exchange Commission (SEC) has proposed a rule that would require registered investment advisers and investment companies to adopt and implement written policies and procedures regarding cybersecurity.
Additionally, any material cybersecurity incident affecting an investment adviser or the funds it advises must be reported to the SEC within 48 hours of determining that the incident is material.
Companies will also need to disclose cybersecurity risks and incidents in disclosure documents and implement strict new record-keeping policies related to cybersecurity.
The board may also be required to approve the cybersecurity policies and procedures of certain registered fund service providers, such as investment advisers, lead underwriters, administrators, and transfer agents.
The primary purpose of this rule is to ensure that boards actively oversee and are accountable for the management of their cybersecurity programs. It also aims to protect the market by avoiding scenarios where multiple funds are unable to carry out important operations at the same time.
This proposal does not break new ground or impose onerous requirements compared to approaches used in other industries or codified in most cybersecurity standards. .
However, smaller advisors and fund families, funds that currently underinvest in cybersecurity, or funds that do not have regular board oversight of cybersecurity will need to play catch-up. maybe.
Prepare
While cybersecurity programs should be tailored to the business, fund shops should always include considerations for risk assessment, threat and access management, vulnerability management, and cybersecurity incident response and recovery in their policies and procedures. there is.
The SEC's proposal would require fund directors to first approve these policies and procedures and then review written reports of cybersecurity incidents and material changes.
In carrying out their oversight duties, directors should seek information to understand potential cybersecurity risks and the salient features and operations of the program. The effectiveness of the cybersecurity program and its implementation should be assessed, as well as whether the fund has adequate resources for cybersecurity.
The risk assessment required by the proposal will help the board determine the scope, complexity, and nature of the cybersecurity challenges faced by the fund shop and the effectiveness of its cyber program.
According to the proposal, joint responsibility for reporting to the board could be assigned to a cybersecurity expert and a fund business representative. These executives should work together to ensure that the board receives reports and advice that enable it to fulfill its oversight function.
The board must be satisfied that the cybersecurity program fully understands the organization's priorities, engages regularly with appropriate business stakeholders, and successfully addresses business risks related to cybersecurity. there is.
Cyber departments need to communicate potential business risks to those most knowledgeable about the business. Information must be delivered to stakeholders using a language they understand and keeping their perspectives and priorities in mind.
How to work with cybersecurity personnel
Boards must ensure that the technical expertise of the cyber sector is translated into relevant information that is meaningful to the board. To do so, cybersecurity professionals may need to address the tendency for cyber departments to fall into the “expertise trap,” where cyber departments expect boards to understand the technical aspects of cybersecurity.
If companies determine that their cybersecurity executives are not yet board-ready, they can engage advisors with cybersecurity expertise to support the process. For example, external experts can develop business acumen for cyber experts, suggest relevant questions, clarify opinions and answers to the board, and recommend executive coaching.
The back stops here
Cybersecurity functions can develop focus, awareness, and tools to support cybersecurity, as well as highlight processes and decisions that lead to poor security. However, no organization can be solely responsible for cybersecurity.
Boards recognize that cybersecurity is not just the domain of technology professionals, but also a strategic imperative, and ultimately recognize that “we're in business, you're in charge of security.'' We need to get rid of this idea.
For a cyber program to be truly effective, it needs the support of the board of directors and the CEO. Board directors should note that while executives reporting to the board can provide guidance and advice regarding cybersecurity, responsibility for cybersecurity rests with the CEO. Boards need to recognize that the CEO plays a critical role in driving the organization's cybersecurity culture, permeating it to all levels of the company, and fostering collaboration among executives. .
When evaluating the effectiveness of a cybersecurity program, the board primarily consults not only the CEO but also the chief information security officer (CISO) and other cybersecurity executives and fund business representatives who report to the board on cyber issues. It also evaluates the performance of the participants.
In an ever-expanding and interconnected fund management ecosystem, boards need to understand how to address and mitigate cyber risks across the value chain of advisors, fund complexes, and third-party services. There is a need to ensure a common understanding among management and technology executives. provider.
Getting cybersecurity right is critical for fund companies to protect investor and customer trust, protect their brands and reputations, and strengthen their competitiveness in an increasingly digital world.
