5 Cybersecurity Considerations for Investment Companies

Your fund’s day-to-day operations likely depend on technology to run smoothly and efficiently, but this dependency poses risks due to the proliferation of cybersecurity threats. Recently, ACA’s Thomas Riley and I hosted a live webcast discussion on cybersecurity best practices and trends for investment companies and their boards, sub-advisers, and service providers. Here are 5 takeaways from our webcast that your fund can implement to help mitigate cybersecurity risk and protect your fund’s assets and reputation:

1. Make sure your fund board implements cybersecurity governance and oversight — The board should be familiar with your fund’s approved cybersecurity strategy, policies, and procedures, and should be able to demonstrate oversight of cybersecurity risk management. The board should have an ongoing dialogue about cybersecurity with your firm’s CCO, CISO, and critical service providers. This dialogue should focus on strategic cybersecurity planning, incident response planning, updates to regulatory rules and requirements, cybersecurity threats, and impacts of a potential incident or event. The board should document its decisions and resolutions related to cybersecurity matters in meeting minutes.


2. Make sure your fund board and senior management understand your fund’s technological framework — They should be familiar with the key systems used by your fund adviser and service providers, in addition to the types of sensitive data for which your fund is responsible and where that data resides. They should know which service providers maintain data, have access to adviser systems or information on your fund’s sensitive data, and know whether service providers are prepared for cybersecurity incidents.


3. Maintain proper oversight of service providers, including sub-advisers — Establish a risk-based approach that focuses on your fund’s largest service providers that have access to the most sensitive or greatest volume of data, and with the sources of highest risk impact to your fund and shareholders. Understand the cybersecurity risk of key functions performed by service providers (including fourth-party risks), and the impact a cybersecurity event or incident may have on your fund’s day-to-day operations. Maintain a comprehensive cybersecurity due diligence process related to sub-advisers.


4. Implement a reporting and notification policy for cyber events/incidents — The policy should detail your board’s notification and escalation expectations depending on the significance and severity of a potential cyber event or incident. Maintain a regulatory data map that summarizes state reporting obligations for data breaches.


5. Conduct annual risk-based reviews and board reporting — The annual review should include an assessment of your fund’s cybersecurity policies and procedures and the effectiveness of their implementation. Partner with internal stakeholders to identify key cybersecurity risks and ensure the assessment of cybersecurity policies and procedures are appropriately included in the annual written report to your board. Maintain documentation of findings and results, and implement a remediation plan to address weaknesses.

Miss the Webcast? Replay it Here.

For access to the full Cybersecurity Considerations for Investment Companies webcast discussion, listen to it on-demand.

About the Author

Askari Foy is a Managing Director overseeing ACA Aponix's Global Regulatory Cybersecurity Practice. He recently joined ACA after serving for over 13 years with the U.S. Securities and Exchange Commission (“SEC”), where he was most recently Associate Director and Head of the National Technology Controls Program (“TCP”) with the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). TCP conducts cybersecurity examinations of registered investment advisers, broker-dealers, national securities exchanges, clearing agencies, automated trading systems, and self-regulatory organizations to ensure compliance with federal securities laws. As head of the TCP, Askari developed and implemented cybersecurity risk-based examination and surveillance strategies that promoted the importance of cybersecurity and IT Governance structure among SEC registrants. Askari was also a contributor to the implementation of Regulation SCI, which focuses on critical market infrastructure and is used as a guideline for investment adviser and broker-dealer examinations.