What role does an Investment Company’s Board of Directors have in managing Cybersecurity?

Cipperman’s compliance, technology and security experts work directly with Boards to
assist them in demonstrating appropriate oversight and fulfillment of its fiduciary
duty, in implementing an appropriate Cybersecurity Program.

Download our summary:

CCS CyberSecure for Investment Companies

Governance and Risk Management.

Basic understanding of IT environment
Focus on risk areas of each service provider
Establish standards for vendors of fund
Reporting protocol through 38a-1 process

Information Access Rights and Controls.

Understand where fund data is stored
Who has access to fund information
Can vendors adequately manage controls
Reporting of unauthorized access

Data Loss Prevention and Protection.

Assess service providers IT back-up plans
Can vendors replicate data on a timely basis
Know where key data is maintained
Analyze results of business continuity tests

Mobile Security and Device Management.

Does the fund allow remote access to data
Analyze fund risks when IT network is expanded
Assess vendor controls over remote networks
Set fund standards for mobile device use

Oversight of Service Providers and Vendors.

Perform adequate due diligence on vendors
Analyze each contract for key vendors
Ongoing assessment and monitoring
Review of vendor internal control reports

Technology Training and Awareness.

Assess training programs of service providers
Consistent education messaging to vendors
Board member cyber knowledge and awareness
Current industry threats and weaknesses

Eye on Encrypted Code

Incident Response and Resiliency Plan.

Develop communication protocol with vendors
Define Board process for vetting incidents
Establish standards at each service provider
Assess need for cyber insurance

Distributed ledger

Board Level Responsibilities on Cybersecurity

Over the past 5 years, we have seen regulators focus on the Cybersecurity responsibilities of advisers and sub-advisers along with other service providers in the investment management industry. More recently, our experience indicates that this focus is expanding to the Boards of registered investment companies.


Why does Cipperman believe that the regulators are expanding their cyber reach to the Boards of mutual funds?

The Board has the Fiduciary Obligation to oversee operations of the Fund.  They must ensure service providers have adequate and reasonable cyber controls in place to prevent a breach or other cyber threat. The Board must also assert to the stakeholders of the fund that it has the required cybersecurity oversight and monitoring controls in place.

An investment company’s Compliance Program (Rule 38a-1) must also address the following:
– Safeguarding client information and records (SEC Regulations S-P and S-ID);
– Safeguarding the integrity of the funds’ records and financial reporting systems (1940 Act Rule 30a-3);
– Business continuity and incident response plans; and
– Custody of fund assets

Based on the fiduciary obligations and the required items of the compliance program, we believe that the Boards must act now and implement the necessary cyber oversight and governance controls.

Need help?

For more information on Cipperman’s CyberSecure for Funds, you should: