Mutual fund boards have increasingly struggled to define their oversight obligations with respect to cybersecurity in light of the Securities and Exchange Commission’s proposed cybersecurity rulemaking, which would expand the board’s role and required oversight obligations significantly. There has been much hand wringing over the fact that the proposed rule misallocates responsibility between the board and management in many instances. For example, the staff explored whether it should require boards to approve the granular cybersecurity policies of the adviser and service providers, components of which may not relate to the mutual fund business. While the industry awaits a final rule on cybersecurity, there are steps that boards may take now to ensure cyber preparedness regardless of the content of the anticipated rulemaking. Additionally, while forthcoming rulemaking is important, boards should be mindful of the SEC’s 2015 guidance to mutual fund boards and advisers relating to the oversight of cybersecurity.
The evolving cyber threat landscape creates more risk in more ways for organizations. A few trends include ransomware scaled to allow criminals lacking technical experience to strike companies with licensed malware, attackers extorting victims directly with their own stolen data to pressure companies into payouts, and hackers launching complex online misinformation and disinformation campaigns to destroy brands.
Many fund boards spend significant time focused on the prevention and detection of cybersecurity vulnerabilities and incidents. Less time tends to be spent on the development of incident response policies and communication procedures, which are important to mitigate harm and to ensure the board is fully informed on incidents and appropriately included in response decision-making. Communication and collaboration break down quickly in the heat of a crisis without a well-practiced game plan. Poorly formulated responses to a cyber incident can turn a manageable incident into the real crisis. Just as Louis Pasteur observed that “chance favors the prepared mind,” quality oversight and enterprise resiliency favor the board being strategically prepared for cyber incidents. As the cyber threat landscape becomes increasingly perilous for organizations, it is critical to view poor communications responses to cyberattacks as an enterprise risk.
Enhance crisis, cyber preparedness
Accordingly, boards should take steps to create a board cybersecurity communication policy and board crisis management response plan, leveraging advice from independent counsel and independent strategic communications and crisis management advisers, while in collaboration with management.
Many boards can enhance their crisis and cyber preparedness by addressing:
- Need for an expanded articulation and assessment of potential cyber risks
- Reliance on management-centered incident response plans
- Incident response plan that does not enable effective and timely cyber incident information
- Limited scope in anticipating enterprise threats
- Lack of information on the crisis potential of threats (e.g., not all incidents are crises)
- Need for additional integration of comprehensive communications response planning with technical, organizational, and financial response planning for cyber incidents
- Underestimation of the need for proactive communications planning ahead of a cyber incident (e.g., only focusing on reactive, live crisis strategies)
- Narrow perspectives on potential and actual incidents
- Incidents viewed solely through a liability lens (and not considering a holistic view of business priorities and reputational risk)
- Communications and cyber incident plans that inadequately address key internal role and responsibilities, stakeholder mapping, internal and external communications progression and escalation, proactive/reactive messaging, etc.
Below are suggested ways that boards may close cybersecurity preparedness gaps that can help response efforts from a communications perspective.
Key Cyber Communications Preparedness Checklist:
- Receive advice from independent counsel and cyber consultants as needed, including strategic communications counsel (which may be engaged through independent counsel).
- Engage in tabletop exercises and/or live crisis simulations with management to determine effective communications flow to internal and external stakeholders and identify who makes decisions under what circumstances.
- It is helpful to debrief on lessons learned and then incorporate them into the plan so they can be tested in the next tabletop.
- It is helpful to debrief on lessons learned and then incorporate them into the plan so they can be tested in the next tabletop.
- Formulate a cyber communications policy. Develop expectations and a policy regarding the individuals who will notify the board and keep it current on developments in the event of an incident.
- Consider how trustees are notified of and kept current on an incident, including if electronic communications systems have been, or are suspected to have been, compromised. Will management communicate by text? If so, is this prohibited by the adviser’s policies?
- Consider which trustees are involved, in what order they are notified, and which individuals from management will contact which trustees. Does the chair receive first notification? Is independent counsel on the line?
- Consider how trustees are notified of and kept current on an incident, including if electronic communications systems have been, or are suspected to have been, compromised. Will management communicate by text? If so, is this prohibited by the adviser’s policies?
- Formulate a cyber response plan. If an incident occurs, what advice will the board need in order to navigate the situation or ensure that management’s approach is reasonable? Consider:
- Shareholder protection
- Mitigating measures
- Brand reputation
- External communications (regulators and the public)
- Internal communications
- Report inquiries
- Shareholder protection
- Utilize AI communications tools to identify who is propagating negative narratives about the organization in the midst of a cyber incident; visualize how the conversation moves across networks to change how the board understands media, judges the communications teams, and makes decisions about mitigating next steps.
'Strong Commitment'
Boards must discern whether the steps taken by management are reasonable and include appropriate communications both internally and externally. Advice from independent counsel and independent strategic communications and crisis management advisers can provide a holistic view. Independent counsel and independent strategic communications and crisis management advisers provide boards with an overview of the suite of tools and actions entities should have ahead of managing a crisis that can be compared against or supplement what management may recommend. Independent strategic communications advisers also provide guidance on how to design a communications culture of preparedness, adeptly manage live crises, and rehabilitate reputational damage. If an organization truly aims to fortify brand vulnerabilities and reduce recovery costs, making a strong commitment to preparedness efforts—and receiving independent guidance on this—is crucial.
An example of how independent strategic communications and crisis management advisers approach cyber incidents and crisis management generally:
Whether the SEC’s proposed cybersecurity rulemaking greatly expands the fund board’s required oversight obligations remains to be seen. However, as cyberattackers target companies with increased frequency, boards have a critical need to manage enterprise cyber risk through independent counsel, independent strategic communications, and crisis management advisers in collaboration with management.
Nicole Crum is a partner in the Investment Management Group and chair of Sullivan & Worcester's Corporate Governance & Board Advisory Practice Group. She represents boards and board committees, including independent directors, as well as a broad spectrum of companies, such as investment companies, investment advisers and broker-dealers. Crum regularly advises on all aspects of governance and compliance, including the operation of investment companies and related transactions, crisis and conflict management, regulatory oversight and compliance, government and internal investigations, and shareholder engagement issues.
Keisha McClellan is vice president, global crisis & issues, at Weber Shandwick, where her focus includes cybercommunications related to cybersecurity, data privacy and regulatory concerns. She advises on a broad range of high-profile crises—including executive malfeasance and transitions, data privacy and cybersecurity incidents, litigation communications, and internal culture controversies—and counsels clients on risk management, strategic communications, brand safety, media skills training and strategy, and thought leadership visibility. McClellan’s expertise in cyber incidents such as ransomware, phishing, and business email compromise involves developing complex communication plans, conducting real-time crisis simulations, and more.