Blog article
See all stories »

What Fund Management Boards Need to Know about Cybersecurity

Fund management executives and board directors play a crucial role in helping asset management firms navigate cybersecurity. As the financial, operational and reputational costs of cyber risk continue to mount, successful collaboration between fund management executives, cybersecurity executives and the board is essential for effective oversight of cybersecurity.

Accelerated Rule Making

The Securities and Exchange Commission (SEC) has proposed rules requiring registered investment advisers and investment companies to adopt and implement written policies and procedures for cybersecurity.

In addition, they would need to report significant cybersecurity incidents affecting the investment adviser, or the funds it advises, to the SEC within 48 hours of determining an incident is significant.

Firms would also need to disclose cybersecurity risks and incidents in their disclosure documents and implement a rigorous new recordkeeping policy related to cybersecurity.

Boards may also be required to approve the cybersecurity policies and procedures of certain registered fund service providers, such as its investment adviser, principal underwriter, administrator or transfer agent.

The primary intention of the rules is to ensure boards actively oversee the cybersecurity program and are held accountable for its administration. An additional intention is to protect the market by avoiding a scenario where multiple funds are unable to perform key operations at the same time.

The proposals do not break new ground or impose onerous requirements compared to approaches used in other industries or codified in most cybersecurity standards.

However, there might be a need to play catch up at smaller advisers and fund families, funds currently underinvested in cybersecurity, or funds not exercising regular board oversight of cybersecurity.

Getting Ready

The cybersecurity program should be tailored to the business, but fund shops should always include risk assessment, threat and access management, vulnerability management, and cybersecurity incident response and recovery considerations in their policies and procedures.

The SEC proposals require fund board directors to initially approve these policies and procedures and subsequently review the written report on cybersecurity incidents and any material changes.

In performing their oversight duties, board directors should seek information to understand the potential cybersecurity risks and the salient features and operations of the program. They must evaluate the effectiveness of the cybersecurity program and its implementation, and whether the fund has adequate resources for cybersecurity.

The risk assessments required by the proposals would help the board determine the scope, complexity, and nature of the cybersecurity challenges the fund shop faces and the efficacy of its cyber program.

According to the proposals, joint responsibility for reporting to the board could be assigned to a cybersecurity professional and a fund business representative. Working in tandem, these executives would need to collaborate to ensure the board receives reporting and advice that enables it to fulfil its oversight function.

The board should be satisfied that the cybersecurity program fully understands the organization’s priorities, regularly engages with the appropriate stakeholders in the business, and successfully addresses the business risk related to cybersecurity.

The cyber function should communicate potential business risks to those people most knowledgeable about the business. The information should be delivered to stakeholders using language they understand and with their point of view and priorities in mind.

How to Work with Cybersecurity Executives

Boards should ensure that the cyber function’s technical expertise is translated into meaningful and relevant information for the board. This may require them to address the tendency of cybersecurity professionals to fall into the ‘trap of expertise’ where the cyber function expects the board to understand the technical aspects of cybersecurity.

If firms determine that their cybersecurity executives are not yet board ready, they can engage an advisor with cybersecurity expertise to support the process. For example, an outside expert can help develop the cyber professional’s business acumen, propose relevant questions to them, clarify their input and responses to the board, and recommend executive coaching.

The Buck Stops Here

The cybersecurity function can provide focus, foster awareness and develop tools to support cybersecurity as well as highlight processes and decisions that lead to poor security. But it cannot be solely responsible for cybersecurity.

Boards should recognize that cybersecurity is not only the province of technology professionals but a strategic imperative, and finally dispense with the notion that ‘we do business, you do security’.

The cyber program needs the support of the board and the CEO to be truly effective. Board directors should note that executives reporting to the board about cybersecurity can guide and advise, but responsibility for cybersecurity must lie with the CEO. Boards should be cognizant of the CEO’s key role in driving an organization’s cybersecurity culture, embedding it at every level of the enterprise and promoting collaboration between executives.

In evaluating the efficacy of the cybersecurity program, boards are essentially assessing the performance of the CEO, as well as that of the chief information security officer (CISO), and other cybersecurity executives or fund business representatives reporting to the board on cyber matters.

In an ever-expanding and inter-connected fund management ecosystem, boards must ensure a shared understanding between board directors, senior management and technology executives about how cyber risk is addressed and mitigated across the value chain of advisers, fund complexes and third-party service providers.

Getting cybersecurity right is crucial for fund firms to safeguard investor and customer trust, protect brand and reputation, and enhance their competitive edge in an increasingly digital world.


Comments: (0)

Chris Brown

Chris Brown

CEO and Executive Coach

New Cyber Executive

Member since

21 Feb


Portland, Oregon

Blog posts


This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring