Cybersecurity and the evolving threats in asset management

The fund board’s role

While cybersecurity is unprecedented and sometimes technically complex, fund directors are tasked with:

• Understanding the broad nature of the key cybersecurity threats
• Asking management how risks are being managed
• Being informed on how cyber risk incidents are identified and what response protocols are in place
• Understanding key cyber risks that may impact the fund complex

Implementing an effective cybersecurity oversight and governance program is critical to managing cyber risk and the resulting threat landscape.

Increasing threats to mutual funds

As mutual funds increasingly rely on technology, cyberthreats have skyrocketed. For example, distribution channels utilizing digital apps are potentially subjected to a greater number of distributed denial of service (DDoS) attacks. Ransomware and data theft risks—for both client data and intellectual property—are prevalent across organizations. The threats surface across:

• Front-office operations, including investment strategies, propriety trading algorithms, robo-advisers, and portfolio management
• Middle-office operations, including compliance reporting, payments and settlements, and risk models
• Back-office operations, including fund accounting, reporting, HR, finance, and marketing

Fraud is another materialized cyber risk, perpetrated not only by external actors but also by malicious insiders. For instance, settlement and finance systems can be exploited by unmonitored access, as well as data transmission protocols used in the financial sector, including SWIFT and FIX systems.

The increasing use of robotic process automation, artificial intelligence, and machine learning—without proper controls in place—can expose firms’ cyber vulnerabilities. Additionally, outsourcing to third parties, cloud service providers as part of digital transformation, and a remote workforce due to the COVID-19 pandemic contribute to an expanded attack surface.

Building a sustainable cybersecurity program

Fund directors are not responsible for designing or overseeing a cybersecurity program. Rather, it is the board’s role to oversee management and the adviser’s efforts in this area. The board, nonetheless, should remain vigilant and ask key questions about the cybersecurity program.

Advisers and other key service providers can choose from various frameworks to develop their cybersecurity programs. While a deep understanding of these programs is beyond the scope of the role of directors, a broad appreciation can help boards organize their oversight and identify key questions of interest.

The five-step framework suggested by the Association of International Certified Professional Accountants, laid out below, can help fund complexes prevent, detect, and mitigate cybersecurity incidents. The steps also can provide a helpful outline for board oversight and understanding. The steps are:

• Identifying and communicating what needs to be protected
• Assessing and classifying roles
• Developing and prioritizing processes
• Responding and enforcing
• Continuously learning and evolving

Emerging areas in cybersecurity

With digital transformation comes the cyber evolution. Most advisers and mutual fund organizations are undergoing expansive business and digital transformations driven both by market needs and the pandemic. Boards should be aware of the potential cyber impact of these efforts and how the advisers are managing the resulting risks. Some initial questions to consider are:

• Does the ease of automation create greater risk?
• How secure is the cloud?
• Does virtual work come with virtual risk?

Conclusion

Like other oversight roles, directors are empowered with exercising their business judgment over cybersecurity-related issues. To effectively do so, boards should have the right information and ask the right questions. And most importantly, there must be a shared understanding between senior management, technology executives, and directors of how these complex technical issues impact business-critical risks across the value chains of advisers, fund complexes, and third-party service providers; how they are detected; and the governance around escalation, communication, and reporting protocols.