In remarks to the mutual fund industry by a commissioner of the SEC Luis Aguilar, he described "the risk of hackers gaining unauthorized access to funds' systems and communications to steal information about funds' investment strategies and pending transactions [and] front-run large, market-moving trades." Aguilar encouraged the industry to "get out in front of the problem to help prevent and mitigate investor harm."
Proper cybersecurity risk management among mutual fund and ETF providers requires a proactive, system-wide approach. Waiting until a breach occurs to prepare a response may be "too little, too late." Although no one-size-fits-all solution exists to manage cybersecurity risk, visionary and innovative fund providers may wish to consider the following three tips:
1. Form a team and a plan before a data breach occurs.
Include a group of individuals with a broad knowledge base about how you collect, use, share and store sensitive data.
Prepare a plan to handle a potential data breach which includes steps detailing the investigation of the potential data breach, notification to victims of the data breach, if necessary, and public communication regarding the potential data breach.
Develop a comprehensive plan centered around the basic concepts of: identify, protect, detect, respond, and recover concepts addressed in the cybersecurity framework coordinated by the National Institute of Standards and Technology. It should include training, drills and internal (and preferably independent external) audits to ensure adequate cybersecurity policies and practices.
2. Specifically assign oversight responsibility and accountability
Assigning responsibility and accountability to leadership shows regulators and the public that cybersecurity and protection of data is a top priority.
You should also require vendor accountability by incorporating privacy and security measures into your vendor contracts. You may also wish to consider incorporating indemnity or insurance requirements.
3. Encourage a culture of security and privacy
By establishing leadership and accountability, you send a universal message to your organization that security and privacy are priorities.
A strong security culture raises awareness and sensitivity to data security best practices among employees.
Cybersecurity risk cannot be completely eliminated, but it can be effectively managed. These tips should assist in finding the right balance to fit a fund provider's needs and characteristics. By proactively addressing cybersecurity risk in a well-thought out and informed manner, you can provide confidence to regulators and the public that you are responsibly managing an increasingly important risk across the country.
W. Brad Neighbors and Brandon N. Robinson are attorneys in the Birmingham, Alabama office of Balch & Bingham, and are members of the firm's Privacy & Data Security practice group.