Trustees and other fiduciaries overseeing large asset pools face increasing challenges from cybersecurity risk, and must strengthen their risk management and preparedness to deal with these potential threats.
Recent highly publicized security breaches have shown the vulnerability to cyberattacks of even big, sophisticated corporations, and the consequences to their businesses in terms of reputational damage and the costs of rebuilding relations have been enormous.
Those overseeing pension funds, endowments, foundations and other institutional asset pools, including mutual funds and alternative investments, as well as custodian banks, must build stronger walls to protect against attacks by hackers. These attacks, if successful, could threaten the integrity of their operations and the financial markets.
Development of enterprise risk management is key to addressing weaknesses and managing risks, faced both internally and externally.
Top executives must assess their vulnerability to:
- breaches in their internal investment management oversight and enterprise operations, including the security of their systems, as well as breaches from unauthorized staff gaining access to proprietary data;
- leaks by their investment managers, custodians and other vendors that could compromise confidential investment details or expose systems to malicious intrusions;
- unauthorized disclosure of beneficiaries' data and weaknesses in asset owners' and vendors' abilities to protect that confidentiality;
- flaws in their trading systems, and breaches in confidentially that could enable front-running, or weaknesses that make them vulnerable to systematic flash crashes and other malfunctions; and
- the corporations and other entities behind their existing and potential portfolio holdings, including equities and fixed income, whose exposure to cyberrisk could affect their business operations and as a result their market valuations.
Some risks are within fiduciaries' control, while others are outside their reach, but they must address both, aiming to strengthen their internal systems and influence improvement of systems outside their control. Failure to address cybersecurity issues leaves funds vulnerable to losses and the executives vulnerable to lawsuits for negligence.
Cyberrisks are a known hazard. But what makes asset overseers and money managers especially vulnerable is that the costs and chances of occurrence are unknown. There is no normal distribution of outcomes on which to base the probabilities of future effects. Cyberattacks come without warning, but fiduciaries must do more to anticipate them and prepare for them.
Fund executives ought to conduct internal assessments of their systems' security, and use external firms to audit their security infrastructure, organizational structure and governance oversight.
They should insist their money managers, custodians and other vendors provide details about their cyberrisk management and exposure, including audits of their security and how they are keeping up with new types of threats to systems.
For many money managers, embracing better cyberrisk management will be a challenge, and is likely to be costly.
David Tittsworth, executive director, Investment Adviser Association, said in a Securities and Exchange Commission round table on the issue on March 26: “Smaller firms do not have the resources the larger firms have” and could fall behind in cybersecurity.
Fund executives should seek more information from corporations about their cyberrisk oversight by reaching out to communicate with top corporate management.
Just as they are risks, cyberthreats can open opportunities for investors to invest in companies offering readiness services, or provide a competitive advantage for companies that embrace leading-edge systems.
This past April, the SEC's Office of Compliance Inspections and Examinations announced an initiative aimed at identifying areas where the SEC and the investment management industry can work together to protect investors and the market from cybersecurity threats. It plans to begin by examining more than 50 registered investment advisers and broker-dealers.
A report prepared by PricewaterhouseCoopers and commissioned by the Investor Responsibility Research Center Institute released in June, noted, “(T)he nature of this risk makes it opaque: The sources of cybersecurity threats are hidden and, unfortunately, companies are challenged to accurately assess their exposure to cyberrisks themselves, even though they have more insights and data than are available to investors.”
“Cybersecurity threats are now widespread enough to be a concern universally,” the report said.
Tom C.W. Lin, assistant professor of law, Levin College of Law, University of Florida, noted in a paper last year, “Technological advances have made finance faster, more global, more interconnected and less human.”
Technology, including the Internet, has benefited those who oversee large pools of assets by making data more available and enriching analysis to enhance investment return and control risk. But it also has exposed them to more threats. Asset owners need to strengthen oversight of their systems to make sure technology is working in their interests and not leaving them vulnerable.