Recent risk alerts from the SEC’s Office of Compliance Inspections and Examinations and remarks from Commissioners have increased the focus of an already aware industry on cybersecurity oversight. To assist directors in this emerging topic, the Forum today released a new report titled Board Oversight of Cybersecurity. Boards are not on the frontline of securing fund systems from attack; however, their traditional role of oversight adds value to the process. Though trustees have long overseen other areas of operational risk, this particular subset may represent new territory for some.
This Forum report assists directors by outlining cybersecurity risks and describing the context of those risks. To that end, the paper discusses areas in which a board may want to develop a familiarity, such as:
- a fund’s technological framework and its sensitive data;
- the approach of a fund’s key service providers to cybersecurity;
- ongoing threats to a fund’s technological infrastructure and service providers; and more.
The report also offers suggestions as to how boards may wish to address cybersecurity oversight and covers topics such as:
- Structuring a board’s oversight of cybersecurity;
- Communicating with advisers and service providers to understand how current technology frameworks are protected;
- Establishing a reporting and notification policy in the case of cybersecurity events;
- Reviewing cybersecurity response plans;
- Properly disclosing cybersecurity-related risks; and more.
The report can be found here.