An increasingly prominent cybersecurity weak spot for mutual fund organizations is a system breach outside the organization’s direct control. Some reports have suggested that over half of organizational security breaches in the past 12 months stemmed from the organization’s supply chain or a third-party. These third-party software breaches underscore how essential it is to have vendor/third-party cyber risk management components in place, as sensitive information—including Social Security numbers and other personal identification data—can be compromised and result in financial fraud and identity theft. 

Recent breaches—including Uber and its vendor Teqtivity, Dollar Tree and service provider ZeroedIn Technologies, the MOVEit hack, and AT&T and an unnamed marketing vendor—are sober reminders that no organization is immune to this vulnerability. This, unfortunately, is because vendors often ignore best practices for secure development. 

Worryingly, the White House’s March 2023 National Cybersecurity Strategy report states: “Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing.” Although the U.S. government is increasing its effort to shift liability for insecure software and services, for now mutual fund firms must understand that hiring a third-party supplier and/or outsourcing IT services does not absolve their own senior executives of risk management responsibilities and can present financial and reputational risk to the organization. Accountability for a cyber breach is a shared responsibility with managed service providers. This brings to mind Amazon Web Services’ “Security of the Cloud” Shared Responsibility Model, which can be a useful framework. 

What Can the Board Do?

Third-party cyber risk should prompt independent mutual fund directors to examine associated potential risks and consider strategic issues, such as whether outsourcing is cost effective when accounting for security requirements and enterprise risk thresholds. Similar to a risk/reward analysis of an investment selection process, an ROI analysis and risk assessment prior to signing a vendor contract can be invaluable. Collaborative input from management, including the chief financial, operating, and information security officers, procurement decision-makers, and consultants is vital. 

How can mutual fund board directors get ahead of a disruptive cyber threat event? Challenge thinking in the boardroom, and ask probing questions. By no means limiting, here is a list of questions independent directors can ask management to get a conversation going: 

• What are the most critical assets that we must protect, and how do we protect them? 
• Who is responsible for security and operations at the mutual fund organization when hiring a third-party supplier? 
• Who is responsible for cybersecurity at the third-party supplier? 
• What should a supplier provide a mutual fund company in advance of an award contract to demonstrate security controls are in place? 
• Does the supplier have any security certifications, such as ISO 27001 (an international standard to manage information security) or a SOC 2 report (an auditing procedure that ensures data is managed securely to protect the interests of the organization and privacy of its clients)? 
• Does the supplier have an information security management system with a formal set of policies and procedures that are being followed? Can those policies and procedures be provided to the mutual fund organization? 
• Describe the cybersecurity training that the supplier provides to its employees. Is this performed during onboarding? What is the cadence for refreshing training? 
• Does the supplier perform penetration testing, or does it outsource this task? Can the supplier provide an attestation report? 
• Has the supplier had any security incidents over the past two years? If so, please describe them, as well as the response that led to recovery from the incident(s). 
• When was the last time the supplier ran a cybersecurity-related tabletop exercise? 

It is worth it for fund board members to ask probing questions in advance of awarding a supplier contract. By spotting pockets of risk from third-party vendors, mutual fund organizations can enhance organizational resiliency for stakeholders. With enhanced oversight, mutual fund directors can be leaders, not laggards, in mitigating third-party supplier cyber threats.

Catherine Nelson is founder and CEO of Windmill Lane Advisors, where she advises clients in a variety of areas, including governance, capital allocation assessment, due diligence, M&A evaluation, and more. She also serves as an advisor to Astia. Nelson’s board service includes being a member of the Private Directors Association board since December 2022, an independent advisory member of the Foundera board since November 2022, and an independent member of the Catholic Guardian Services board since February 2021.