Five Considerations on Cyber Security Oversight

At a recent MFDF event, panelists discussed how boards can effectively partner with fund management on oversight of cybersecurity at the adviser and fund service providers, among other topics. Participants, including directors, CCOs and representatives from fund management and the SEC, discussed what boards should be alert for and questions that help facilitate oversight of management’s policies and procedures as well as that of third parties and fourth parties.  Below are some questions raised during the discussion that may be helpful to directors. For additional information and questions to raise with fund management, review the MFDF’s white paper: Board Oversight of Cybersecurity.

1. Does the adviser’s cyber security oversight program include policies and procedures for the oversight of fourth parties (vendors to the service providers)?
2. What makes a good incident response plan? How often is management’s incident response plan updated?
3. How does management assess differences in the security standards of better resourced-service providers vs. smaller service providers? How does management account for and fill the gaps in vendor standards?
4. How does the CISO (chief information security officer) keep up with industry developments? How often does she communicate with management on cyber security trends and incidents?
5. How do company metrics (e.g., number of infiltration attempts, successful attempts, frequency of staff training) compare with others in our industry?