Cybersecurity continues to be an area of focus for the Securities and Exchange Commission staff and an important area of oversight for directors of investment companies. Although cybersecurity itself is an area of expertise requiring specialized, technical knowledge, an investment company board’s role with respect to cybersecurity is one of oversight and not of management. Board members are not expected to have technical or specialized expert knowledge in this area. However, because cybersecurity is constantly evolving and by necessity does not remain static, continuing education and regular discussions with management on this topic are necessary for a board to effectively perform its oversight function.
There is not one specific rule or regulation that governs cybersecurity programs or that charges boards with oversight of the same. Requirements flow from a variety of federal rules and regulations such as Regulation S-P (including rules relating to the safeguarding of customer records) and Regulation S-ID (identity theft red flag rules). In addition, most states have enacted laws relating to cybersecurity, including information security program and data breach notification requirements. Rule 38a-1 under the 1940 Act, which requires that boards adopt fund compliance policies and procedures and approve those of certain service providers, also is a rule from which responsibilities with respect to cybersecurity oversight flow. For example, an inadequate cybersecurity program could result in a potential violation of Rule 38a-1 as a result of policies and procedures that fail to prevent and detect potential violations of federal securities laws. Similarly, another rule from which cybersecurity responsibilities are implicated is Rule 30a-3 of the 1940 Act regarding investment company internal controls and procedures.
The SEC continues to demonstrate its focus on cybersecurity. Over recent years, the SEC has issued guidance and risk alerts on cybersecurity programs that provide detailed guidance to fund complexes and their investment advisers. For example, the SEC’s Office of Compliance, Inspections and Examinations (OCIE) released the results of its Cybersecurity Initiatives, including a risk alert in August 2017 detailing its findings from cybersecurity examinations. The SEC also established its cyber unit in September 2017. Not surprisingly, cybersecurity continues to be an SEC exam priority. The areas of focus set forth in OCIE’s 2018 National Exam Program Examination Priorities are:
- Governance and Risk Assessment;
- Access Rights and Controls;
- Data Loss Prevention;
- Vendor Management;
- Training; and
- Incident Response.
Boards might want to confirm that fund management has reviewed the SEC staff’s various guidance in the area of cybersecurity, as well as evaluated the funds’ program against the current areas of SEC focus.
Discussions with Management
As with other areas over which the board exercises oversight, such as compliance, a board should determine that there are policies and procedures in place to prevent, detect and respond to cybersecurity threats. The board’s role is one of oversight. In this regard, boards should have an ongoing dialogue with management to confirm that cybersecurity is being adequately addressed. As a best practice, the firm’s management should report to the board at least annually, and, ideally, on a more frequent basis.
Besides cybersecurity breaches relating to data privacy of shareholder or other confidential information, cybercrime could include securities fraud, market manipulation, or insider trading. While it is generally impossible to protect against a bad actor, testing by management to ensure that there are adequate policies and procedures in place to attempt to prevent, and importantly, to detect cybersecurity incidents is critical.
Boards should have an understanding of the risks to the funds relating to cybersecurity and how such risks are being addressed. While there are emerging best practices as relates to board oversight of cybersecurity, there is no one-size-fits-all approach, and the scope of a fund complex’s program may vary based on factors such as size, applicable risks, types of shareholders, and management structure and business model.
Basic questions that boards should consider asking management include:
- Who is responsible for oversight of the fund complex and the adviser’s cybersecurity programs? Where does the cybersecurity function sit within the adviser’s organization? Who is responsible for making decisions with respect to the funds’ program?
- What is the funds’ technological framework? Who has access to sensitive fund data? What are the areas of potential risk?
- Are additional resources and staffing being added as needed? For example, the role of chief security officer is becoming more common at adviser firms.
- Are regular employee education and monitoring performed?
- What sort of testing (e.g., hackathons and phishing exercises) is being done? How often, and what are the results? Are there assessments of software tools?
- Has the program been evaluated by an independent third party? What areas of risk, exceptions, and gaps were discovered?
- Is regular attention being given to staying informed of current industry developments and threats, including through participation in information-sharing organizations such as Financial Services - Information Sharing and Analysis Center (FS-ISAC)? How is management keeping up with the evolving legal and regulatory landscape and industry best practices? Is the program being updated and enhanced accordingly?
- What type of monitoring and evaluation is done with respect to other fund service providers?
Additionally, with regard to incident-response plans, which is an important area of focus:
- Who are the members of the team? Who is the incident manager/coordinator? How will communication flow inside the firm? What additional resources will be necessary? Is there a materiality standard or risk analysis done? Who would be notified (e.g., law enforcement, regulators or clients)? Who makes these decisions?
- Has management engaged in a simulated exercise that tests the incident-response plan?
- What is the process for reporting to the board in the event of a breach? What would be considered a “breach” that would be escalated to the board? Who makes this decision? How will board members be notified?
Boards might find it helpful to receive written summary information of certain of the key points relating to the funds’ cybersecurity program.
Another best practice is for boards to hold educational sessions on cybersecurity topics. In addition to the questions noted above, topics might include current industry best practices or issues in cybersecurity or a review of cyber risks and risk management. Some general cybersecurity risks for investment companies involve the ability to strike NAV on a daily basis; the protection of trading data and portfolio holdings before being made public; and the protection of personally identifiable, confidential shareholder information.
In addition, individual board members should consider attending industry events relating to cybersecurity and reporting back to the board. Various industry groups hold conferences or panels on cybersecurity, including director industry groups.
It is worth noting that cybersecurity is not an issue that is unique to the fund industry. As a result, outside experts could also be of assistance to the board, for example, in providing educational sessions on emerging topics or as an additional resource.
Regular Board Reporting
More regular reporting to boards on cybersecurity is an emerging best practice. The level of detail with respect to cybersecurity reporting varies among fund groups, and one size does not fit all. Some boards have developed quarterly or annual dashboard reporting. Items covered might include:
ü Number of attacks detected and repelled during period
ü Nature of attack, e.g., length of time of penetration and information at risk
ü Steps taken in response to attack
ü Testing done during the reporting period and the results
ü Any material changes to data security policies
Another consideration is how to structure board oversight and cybersecurity reporting—whether it should be at a board committee level or the full board level. Some boards have established ad-hoc committees or cybersecurity task forces. Other boards might include cybersecurity matters on the agenda of a risk committee, the audit committee or a compliance committee. If housed at a committee level, it is still important that each board member have an understanding of the funds’ cybersecurity program and the risks faced by the funds and how these are being addressed.
Another emerging best practice is to have key vendors or service providers, such as pricing vendors and administrators, report at least once a year with respect to their cybersecurity programs.
Advisers and sub-advisers should provide regular reporting on their cybersecurity programs, as well. In this regard, many boards have updated their Section 15(c) due diligence questionnaires to include questions on the cybersecurity programs of advisers and sub-advisers. Other boards rely instead on the reports provided by the funds’ chief compliance officer with respect to his or her review and monitoring of adviser and sub-adviser compliance programs. Some fund groups also request attestations from service providers such as investment sub-advisers with respect to the adequacy of their cybersecurity and data protection policies and procedures.
Third Party Vendors and their Cybersecurity Programs
Boards should confirm that fund management is assessing whether other service providers and vendors utilized by the fund complex also have adequate cybersecurity policies and procedures in place. Boards should ask if management is performing vendor risk assessments, including in the area of cybersecurity.
Boards may want to ask management to discuss:
- What type of information is being requested from vendors with respect to their cybersecurity programs? For example, are SSAE 16 or SOC 2 audits provided and reviewed?
- Are all vendors being assessed? In addition to service providers involved in the day-to-day operations of the fund—such as the custodian, administrator and pricing vendors—are other vendors (e.g., board book portal providers) evaluated?
- Is testing done with respect to the safety and protection of information handled by third-party service providers?
- Are service providers’ business continuity plans considered?
- Does management inquire as to who has access to fund or shareholder data at a third-party service provider?
- Has management asked about the breach notification process by service providers—including what would be considered to be a breach, under what circumstances there would be notification of a breach, and how quickly that notification would be made?
Boards might also want to request that management review contracts with other service providers to determine whether cybersecurity is adequately addressed.
Another area of focus by fund management should relate to the cybersecurity programs of the service providers to the fund service providers (sometimes referred to as “fourth-party risk”). The SEC staff has specifically noted this as an area that should be considered. Boards should confirm that management has evaluated how fund service providers in turn protect against cybersecurity incidents at their own service providers that might potentially impact either their ability to provide services to the funds or that might directly put fund information at risk.
Boards should ask for a review of the funds’ and directors’ insurance policies to understand what is covered under current policies with respect to cyber-related issues, where there are gaps, and whether any type of additional cyber insurance coverage might be necessary or appropriate. In this regard, the board may consider whether the adviser or other key service providers, such as the administrator, also have coverage in this area.
Board Digital Communications
While board members do not generally have access to confidential fund or shareholder information, boards may want to consider cybersecurity practices in connection with their own communications. Cyber criminals have been known to gain access to confidential information by utilizing other entry points such as a personal email account. Although this risk may be remote in view of the types of information to which boards have access, board members should take steps to protect their own personal email accounts, including being aware of current types of cyberattacks, such as phishing, and keeping antivirus software up to date. If boards utilize a common email correspondence system or a board book provider portal, they may want to consider whether certain security protections might be appropriate, e.g., the use of dual authentication.
Stacy H. Louizos is a Partner at Drinker Biddle based in New York. Her national practice focuses on the representation of registered investment companies and their independent directors and investment advisers.