Cybersecurity continues to be one of the top risk management issues facing mutual fund boards today, with continued scrutiny coming from regulators and investors alike. Potentially facing financial loss and reputational harm from growing threats, stakeholders are taking an even closer look at what protocols are in place to minimize harm. Here are some best practices gleaned from our work with hundreds of leading asset management firms and financial institutions worldwide.
Understand the exposure
To mitigate loss from a cybersecurity event, it’s important to first identify the exposures that could give rise to an incident. One of the most significant exposures facing mutual funds stems from their reliance on third-party service providers to conduct the majority of their business. Mutual funds can be exposed to, and suffer losses from, cyber events occurring within these external organizations – and such incidents are largely out of its control. For example, if a service provider’s computer systems are hacked and the services it provides to the mutual fund are impaired, mutual fund investors could suffer a loss.
So, how can a mutual fund board mitigate its risk of loss? If a cyber event does occur within their own or third-party systems, what protections are in place to mitigate its impact on the mutual fund?
Mitigate potential loss
Mutual fund directors are obligated to vet the service providers they engage on behalf of the investment companies they serve. From a best practices perspective, boards should understand the scope of their service providers’ cyber risk framework, including its maturity and the specific security measures in place. The due diligence process should not stop there, as people and cultural factors within an organization also contribute to cyber risk and cannot be ignored.
Research from Willis Towers Watson found that employee negligence or malicious acts account for two-thirds of all cyber breaches; in contrast, only 18% are directly driven by an external threat. Additionally, 90% of cyber claims result from some type of human error or behavior. Given the link between people and cyber threats, mutual fund boards should fully assess the cultures surrounding risk at their service providers’ organizations.
Four questions the board may consider asking a service provider:
- How is an individual’s sense of responsibility and accountability assessed?
- Are tools like the Willis Towers Waston Cyber Risk Culture Survey used to measure risk inherent in employees’ behaviors?
- How are employees trained and tested?
- How often are cyber crisis plans tested and updated?
These types of questions will enable boards to enhance their due diligence processes and make informed decisions about the key service providers they engage on the funds’ behalf. Of course, these questions should be asked in regard to the asset firm as well, particularly in regard to employees who handle sensitive data.
Have proper insurance in place
While these actions will help mitigate exposure, it’s impossible to completely eliminate the risk of loss resulting from a cyber event. As such, mutual fund boards should also understand their cyber-related risk transfer options, such as indemnity and insurance, both at the fund and service provider levels.
With respect to cyberinsurance, mutual funds typically negotiate the inclusion of such coverage under a policy procured by their investment advisors. Further, boards should understand how such policies interact with other potentially relevant insurance available to the mutual funds, such as Directors & Officers and Errors & Omissions liability and fidelity bond programs. Proactively understanding the interplay of these coverages, as well as their limitations, is critical and will mitigate the risk of confusion in the event of a cyber-related claim.
While risk management practices have evolved, the dark side of digital connectivity is a growing concern. Though not all encompassing, these steps should assist mutual fund boards in navigating the ever-evolving cyber risk landscape to ensure their asset management firms stay in front of the threats to mitigate damage.
To learn more about how to protect your asset management firm from cyber risk, download the Willis Towers Watson 2017 Cyber Risk Survey Report. Learn more about how to mitigate culture risks in our Cyber Risk Culture Survey or read the press release.
Timothy M. Sullivan is the Asset Management Industry Leader, FINEX, at Willis Towers Watson.
Rob Yellen is Executive Vice President, D&O and Fiduciary Liability Product Leader, FINEX, at
Willis Towers Watson.