Click here to view video.
Cybersecurity and data privacy are important topics for everyone these days, and the investment management industry is no exception. Funds, either directly or through third parties, hold the information of investors that have invested more than $19 trillion in assets. That amount of personal information, together with the incredibly large pool of assets represented by the industry tends to attract a good deal of attention.
Fund groups can be vulnerable not only directly but through different service providers that are critical to the funds. The other aspect of this topic that is challenging for the industry is that it's not a traditional '40 Act topic. Data privacy and cybersecurity requires its own expertise. The topic develops and morphs constantly – it's never quite done and it does so at a faster pace than compliance or other risk-related fields. One significant challenge for any fund group is not just to create and test its own data security system, but to evaluate the systems of others – of its service providers. Fund groups don't just have to identify which service providers to focus on themselves, but also have had to determine how frequently to diligence third parties and have to grapple with access that third party provides may not wish to give them.
All of these challenges are unfolding not just with respect to a topic that is relatively new and constantly changing, but they're taking place at a time when regulators, including the SEC, could not be more focused on the issue. The SEC has in fact made numerous pronouncements, they've issued guidance and this is clearly a top priority for regulators. The SEC also is dealing with its own issues, having announced recently that a hack of its EDGAR system may have led to insider trading. As a result, it has added significant resources and attention to its own data privacy and cybersecurity program. And at a time when regulators are often competing with each other, none of them wants to be embarrassed or appear to not have been on top of things. That means that the regulatory environment will not likely be forgiving of problems that have a material impact on a fund group or its shareholders. And if there are problems detected, or the SEC identifies a significant concern, some, if not all, will likely be labeled as compliance violations – bringing an adviser’s and fund group’s compliance framework directly into the mix.
There are numerous ways to try and address these issues. First, it's important to have a well-documented data privacy and cybersecurity program. It's important to be able to show recurring tests of critical systems and vendors – fundamental due diligence. It's also good to consider hiring sophisticated and knowledgeable technology officers or, for small fund groups, retaining known and reputable consultants to help. Conducting tabletop exercises that test that program under various scenarios is also a good idea. And as usual, it's important to remember the role of the Board as an important overseer – they are a strong line of defense. It's critical to consider what reports the Board is or will be getting, how often they receive the reports, who is preparing them, and what they contain. In that regard, the adviser's personnel, with cybersecurity and data privacy expertise, will be important allies for the Board in its oversight role.