Why simplifying cybersecurity is essential for mutual fund boards of directors

Imagine if you were tasked with the understanding of an element of your job outside of your job description, and that the understanding of this element, if not done correctly, may result in dramatic losses and/or reputational risk for your organization.

But in the age of cybercrime, where financial services organizations are the second-most likely sector at risk for a cyberattack, cybersecurity has to be top of mind for each employee in the organization from entry level to senior management. Moreover, for mutual fund boards of directors, cybersecurity is a daunting task, and one of many oversight responsibilities that they must confront.

The SEC has made it clear by delineating cybersecurity as a top priority for a number of years that it is a crucial element of board oversight, currently on its third cyber sweep in the last six years. But that’s easier said than done. Most mutual funds boards of directors meet only 4-6 times per year, and are sometimes comprised of retired industry with numerous other roles and responsibilities.

Directors who sit on multiple boards and engage in their own pursuits, often have limited time to dedicate to the understanding of this element of their oversight role.

Fund boards wrestle with identifying how to effectively include cybersecurity in their oversight responsibilities. Cybersecurity is highly technical, rapidly evolving, requires continuous vigilance, and demands significant ongoing resources. And while solutions are expensive, failures in this area are far more costly. Like other oversight roles, directors are charged with exercising their business judgement in oversight, not management.

Mutual fund boards of directors are tasked with understanding the threats, defenses, tools, infrastructure, human capital and monetary costs of cybersecurity, but they can only do so when given the proper tools. When technologists, even at the C-suite level, present to the board about the state of play of cybersecurity for their fund, more often than not, they’re speaking a completely different language, one that boards of directors struggle to understand.

In an age where not just the financial institutions, but the regulators themselves have invested significant cost in understanding and adopting cybersecurity technology, both sides have become far more sophisticated. The SEC’s information request list has become far more detailed, and thus necessitate more detailed responses during exams. As the SEC has continued to stress cybersecurity, boards of directors stress as well.

In order for mutual fund boards of directors to properly do their jobs, the relatively few and far between meetings must be conducted in an efficient manner that results in a shared understanding for both parties, and the tackling of the business critical risks. A framework for oversight can bridge the gap between technologists and boards of directors, creating a “Rosetta Stone,” for the mutual understanding and appreciation for the policies and procedures in place to address cybersecurity.

Technologists have the tendency to believe that in presentations to boards of directors, the more detailed and quantitative they can be, the better. But that tendency can be counterproductive, as what boards of directors need, beyond anything, is an understanding of the critical elements to business risk when it comes to cybersecurity. An effective conversation on cybersecurity between the mutual fund board of directors and the service provider takes planning, dialogue, pushing, and compromising. At the conclusion of an effective meeting, the following questions should have been answered:

• How is that to be done to the satisfaction of all parties concerned?
• What are the topics, presentations, and proof statements that address that business risk?
• What will be the structure of the long-term oversight?
• Beyond that, what is the ongoing governance and importantly, fund compliance processes, that cybersecurity fits into?

For example, a director may have a question around how many times the firewall has been breached. But a more effective question is, “How sophisticated are these attacks?” and, “What have we done about understanding this and protecting against that?” Turning the question into a qualitative discussion addressing the business risks at the root of the problem is far more effective than understanding the amount of times a cyber event has occurred.

Patches are another topline, yet confusing item discussed during boards of directors meetings. There is often a misunderstanding by the board around the role of patches. Though it’s of course important to have patches in place, directors do not realize that if they start to pile up and go unaddressed, this can lead to cyber vulnerability.

Cybersecurity meetings are also typically the time where boards of directors review their third-party software vendors and assess performance – also an area where a lack of shared language can cause a disconnect, as third-party risk has become a top underlying cause of cyber breaches.

A board of directors meeting on cybersecurity can be likened to a homeowner purchasing a house. As a prospective buyer gets closer to closing the deal, they have more in depth and probing questions about specific details including the state the house is in, and other smaller concerns begin to arise. While prospective homeowners may not feel comfortable asking all of the questions that come to mind, the most astute of homebuyers make sure they do before making what is often the biggest purchase of their lives.

Similarly, boards of directors evade asking questions related to cybersecurity as they feel they do not have the domain expertise to do so, and feat they do not even know the questions to ask. But management and the board share a fiduciary’s interest in a functional security program. If a Rosetta Stone is built to bridge the gap in understanding and expertise, directors will walk away form a cyber meeting able to exercise informed business judgement and do right by their stakeholders.

Contributing author: James Pappas, Managing Director, Investment Company Division, ACA Compliance Group