Fund Governance and Cyber-Security
Fund Directors' Should be aware of developments in cyber-security and should address risks at board level
Cyber risk for investment funds could range from fraud to stolen intellectual property such as investment strategies and trading platform algorithms, or data relating to investors, trading, portfolios, funds or finances. The importance of safeguarding sensitive data is fundamental to good corporate governance and board directors of investment funds should be aware of the risks associated with IT security and ensure that managers and service providers are taking appropriate measures.
Very recently,the Bank of England’s Financial Policy Committee warned that financial firms in the UK are underestimating the threat of cybercrime. Cyber attacks have a significant impact on victims, with 60% of small firms forced to close within six months of an attack, according to the US National Cyber Security Alliance.
Given that investments can run into the millions (or even billions) the lack of specific risk assessment and policies can potentially be devastating. For investors, cyber resilience must be a fundamental part of assessing the value of an investment and must be reviewed alongside the financial and strategic strengths of a prospective investment target. A pre-deal due diligence assessment must identify any underlying cyber vulnerabilities, to avoid undermining future goals and protect the value of the investment itself.
With an increasing number of senior managers regularly using personal email or cloud accounts to work remotely, placing such information at a much greater risk of being breached, the importance of a clear and strategic assessment of cybercrime risk is essential.
With a statutory and regulatory duty to safeguard valuable and sensitive data held on investors, operating companies, investment strategies and their own operations, the impact could be significant, should such information come into the wrong hands.
With Fund Directors holding a fiduciary responsibility to the fund company and its associated investors it is important that directors understand the risks inherent with today’s cyber crime and should ensure that fund managers and other service providers can demonstrate a robust approach to combating operational breaches that could present risks to investors. Fund Directors themselves are privy to sensitive information as part of their over-sight responsibilities and they too form part of any due diligence process.
It is important that fund directors are held accountable also for maintaining robust IT security policies and how vulnerable their existing security is at present and continually monitoring this. Fund Directors should request information on the cyber security action plan and ensure that this is an agenda item at board meetings for continual monitoring. Any threats to the security in place or changes made should be disclosed to the board and appropriate steps taken to improve where appropriate. Such questions should be raised not only with the fund manager but all service providers to the Fund.