COVID-19 has completely upended how all firms conduct their business. A shift to the work-at-home model, where existing technology assets were hastily combined with personal devices and networks, created unprecedented risk for companies. Performance of technology resources in the days and months following the implementation of COVID restrictions and the changes to those resources necessary to meet new realities are issues all businesses, including mutual fund firms, must now address. Mutual fund boards and independent directors need to consider how they should respond to this new and forever-changed environment.
Board oversight of technology is indeed a process now demanding attention. This process begins with an assessment of the current level of engagement with the adviser regarding technology and a determination of what it should be in the post-COVID era. This level of oversight is not a “one-size-fits-all” proposition. Instead, directors can reflect on their role in technology discussions pre-COVID, how the current technology framework is performing, and how this changing environment will impact the board’s role in future technology investments. Directors should therefore look for ways in which to further enhance their discussions with advisers as critical areas of risk are considered, and decisions on new and existing technologies are made. Directors should initiate conversations with management to fully understand how the current technology infrastructure has performed during COVID, why enhanced or new technologies may be necessary, the cybersecurity risks inherent in these technologies, and the risks associated with third-party providers of these technologies. Directors should also find the appropriate way in which to memorialize these discussions and their results for use in future regulatory inquiries. By thinking critically about their past role in technology and how COVID will require them to respond in the future, directors can better oversee this critical area of risk in the adviser’s organization while protecting the interests of the shareholders they serve.
Oversight, Not Overreach
Boards should not overstep their oversight role with respect to an adviser’s current technology framework or their undertaking of new technology initiatives. However, it is critical for them to understand the efficacy of their past technology oversight and how (or if) it needs to change. Directors should reflect on:
- Were discussions with the adviser around technology initiatives adequate and appropriate given the circumstances?
- Would additional educational opportunities for board members have enhanced these discussions?
- Did directors engage with all the appropriate stakeholders at the adviser level?
Directors need not be experts in technology but should demonstrate clear understanding of how the technology performed under current conditions and an intellectual curiosity of how new technology can enhance an adviser’s business operations and, ultimately, the shareholders’ interests. This includes an assessment of the current performance of the technology and processes in place at the time COVID disrupted the organization. Directors should ask:
- What lessons have been learned with regard to existing technology infrastructure?
- How did the adviser’s business continuity plan perform?
- Did the adviser perform a gap analysis?
- What worked?
- What didn’t?
- What can be improved?
- What processes were used to evaluate adequacy and effectiveness of technology (stress testing, etc.)?
- Is existing technology adequate given our experience through COVID?
Tech Decision Making
Depending upon the assessment of current technology performance, advisers may consider enhancements to, or replacement of, current technology solutions. As advisers consider the use of new or enhanced technologies, directors should ask:
- Why is new or enhanced technology necessary?
- What is the cost/benefit of new or enhanced technology?
- How will it be integrated into the existing infrastructure, and can it be supported?
- Does the new technology complement or replace existing solutions?
- How does new technology solve today’s problems? How will it adapt to meet future challenges or expectations?
- How does it drive overall business strategy and operational needs?
- What is the governance model for the use of new technology and the data associated with it?
New or enhanced technology can greatly expand business capabilities but also provide a new avenue for cybersecurity exposure. Without proper cybersecurity tools and programs, an adviser risks diminishing its technology’s impact while exposing the adviser and the shareholders to unnecessary risk. Directors should ask:
- What level of cyber risk is the adviser comfortable accepting (for itself and the shareholders)?
- How is the adviser handling existing cybersecurity threats, and how will the integration of a new and enhanced technology impact existing efforts?
- How are adviser technology systems currently tested? How will new or enhanced technology assets be integrated into this testing system? How will directors be kept abreast of testing results?
- How will existing processes and procedures be updated to account for new and enhanced technologies?
- How will the adviser integrate educational tools for employees on cyber threats and appropriate behaviors/responses?
- Can the adviser provide additional educational opportunities to directors around technology generally and cybersecurity specifically?
Boards should also be conscious of the risks associated with the providers of new and enhanced technologies and how their performance will impact the adviser’s operations. Directors should ask:
- What has been the third-party provider’s history of service disruptions?
- How will contract terms protect/compensate the adviser from outages and other disruptions?
- What has the provider’s performance looked like since COVID with respect to disruptions?
- What testing has the provider done internally, and how will it test the adviser’s suite of services going forward?
- How will the provider’s contingency plans be incorporated into the adviser’s own plan?
- How should ongoing due diligence of the provider evolve? What should the board’s role be with respect to due diligence?
Memorializing the Process
While it is important for boards to fully engage with the adviser on the topic of technology, it is just as important for boards to memorialize these interactions. Boards should take care to memorialize these efforts taken both alone, and in conjunction with the adviser and other fund service providers. This might take the form of enhanced board minutes, memos to files, and contemporaneous notes of discussions. Such records will be important to demonstrate the level of engagement the board has committed to the oversight of technology. These records may also take on added significance during future regulatory inquiries.
COVID-19 has led to substantial disruption in business strategy and operations. Like other businesses, mutual fund firms and their boards must adjust to the COVID realities that now exist. This is especially true in the area of technology. Boards should reflect on their role in technology discussions prior to COVID disruptions and assess if and how that role should evolve. It is likely for most boards that their role must change to address the enhanced risks present in the COVID environment. Through careful consideration of their evolving oversight role and the risks involved in existing and new technologies, a board can better oversee this critical area of risk and protect the interests of shareholders.
Peg McLaughlin is an accomplished financial services executive who has worked extensively advising and presenting to both corporate and mutual fund boards during her career. She was a founding member of the executive management team for Kramer Van Kirk Credit Strategies L.P. and its technology affiliate Mariana Systems LLC. Prior to Kramer Van Kirk, McLaughlin was assistant general counsel to Harris Associates L.P. She began her career as an attorney for the Securities and Exchange Commission.