By John Baumgardner and Roger Joseph
In the past few years, cyber security has emerged as a major issue for mutual fund directors. Mutual fund boards understandably have drawn lessons from the experiences of corporate boards. After all, some of the most well-publicized and costly cyber security breaches have occurred at operating companies. In many cases mutual fund boards have also, quite reasonably, looked to guidance originally issued in the corporate context.
There are, however, important differences between the business contexts in which mutual funds and operating corporations conduct business. In our view, an understanding of those differences should inform mutual fund boards as they structure their oversight of cyber security.
Most importantly, a mutual fund, unlike an operating company, has no employees or information technology infrastructure of its own. It relies entirely, or nearly entirely, on service providers. Practically all of its operations are conducted by other entities, and all of its data is housed in systems owned and operated by others. While that is likely to be the case to some extent in the corporate context, for example, shareholder information for publicly traded operating companies, it is inherent in the way nearly all mutual funds operate.
A mutual fund’s service providers will also vary considerably in the types and sensitivity of the data they hold, as well as in the degree to which they are susceptible to the influence of the mutual fund board. The fund board will likely have considerable regular contact with the fund’s investment manager, whose family of mutual funds may well be its most significant client, perhaps its only client. Although the manager operates and maintains portfolio management and other financial accounting and tax systems, it rarely holds fund assets or sensitive personal information of its shareholders. Assets are held by bank custodians and in turn by central securities depositaries, and shareholder information by the fund’s transfer agent, or through intermediaries, such as broker-dealers, retirement platforms, variable annuity providers and others, through which shares are held.
These contexts emphasize both the complexity of, and the distance funds and their boards stand from the actual systems on which cyber security depends. Boards of course cannot disregard cyber risk, whether it arises from the theft of personal shareholder information or a disruption of the manager’s or custodian’s systems or operations, any one of which could harm the fund or shareholders. For example, if a hacker were to gain information as to the manager’s purchase or sale decisions, the hacker might be able to trade ahead of the fund, increasing the fund’s execution costs. The mutual fund board of course is not the board of the manager. But of all the fund’s service providers, the investment manager is the one over which the board may have the most influence. The fund board may have regular contact with the manager’s chief technology or information security officer or otherwise understand its cyber security defenses. Moreover, because the fund board represents such an important client of the manager, it can often have significant influence over the way in which it conducts its business.
Nonetheless, greater cyber security risks may arise within other service providers. For example, a major cyber security disruption at a custodian, or a foreign sub-custodian, might affect a fund’s ability to dispose of assets or execute or settle securities transactions; conceivably, fund assets could even be lost. Imagine, for example, that the security of foreign sub-custodians or central depositaries is breached, and the hacker is able to cause the delivery of funds or assets to a location even temporarily out of reach of the fund.
As devastating as the potential consequences of a cyber security incident might be, the fund board’s ability to obtain information from and exercise influence over third-party vendors, such as custodians and sub-custodians, may be limited. A custodian or sub-custodian will likely have hundreds of other clients. It may be unrealistic for a fund board to expect to see senior network professionals of the custodian at all or more than occasionally. In our experience, fund boards rarely, if ever, meet with representatives of sub-custodians, but instead rely on the primary custodian or the investment manager to establish and supervise the sub-custodian network.
Another factor that limits a fund board’s oversight of custodians and transfer agents is that the selection of those service providers occurs infrequently (in contrast to the investment manager, whose contract is considered yearly). The selection of these service providers is typically based on multiple factors, including capacity, service levels and cost, of which cyber security is but one. Even when the fund board asks for information, certain information may not be forthcoming. For example, a custodian may be concerned that if it shares information about a cyber security breach with multiple fund boards it may inadvertently expose a vulnerability which a hacker could ultimately exploit.
Similar issues limiting board influence and oversight, but also with possibly disruptive consequences of breach, apply to other service providers. A fund’s transfer agent will hold sensitive shareholder information, which could be exploited by a hacker, for example, to submit a redemption request and transfer the proceeds to someone other than the rightful shareholder. The same holds true for broker-dealers and other intermediaries through which shareholders hold their interests in the fund. Note that in these cases the fund board does not even select the service provider. Other types of service providers, such as pricing vendors, may play a crucial role in the daily calculation of net asset value; a disruption at such a vendor could prevent the fund from meeting one of its fundamental obligations, which is to price and redeem shares on a daily basis.
It should now be apparent that mutual fund boards, in contrast to corporate boards, face many challenges in overseeing cyber security at critical service providers over which they have no or limited control, but whose cyber security failures could be disastrous for the mutual fund.
Another side to this coin
Mutual fund boards have advantages too. In overseeing third parties, the mutual fund’s board can draw on the resources and expertise of the fund’s investment manager. The interests of the manager should be closely aligned with those of the mutual fund in selecting service providers with robust cyber security programs. The manager’s personnel may be able to evaluate a third party’s cyber security programs in a more dispassionate way than, say, the officers of a corporation may be able to evaluate their own technology and systems. Their dispassion may be offset to some degree by limited leverage, the availability of few like providers, and the size of the manager’s and fund’s relationship.
In the operating company context, if customer credit card records are hacked, the operating company will bear the reputational consequences and (subject to any available insurance) the financial consequences as well. If, however, information belonging to a mutual fund is hacked, other customers of the relevant service provider may also be affected, diluting the reputational harm to the fund. For example, it strikes us as unlikely that a hacker will identify a particular mutual fund’s custody account or TA records held by large service providers. Also, the service provider may bear the financial consequences, either as a matter of contract or to maintain its reputation and business relationships. One practical implication is that a mutual fund board may wish to gain an understanding of the contractual terms that may establish, or limit, a service provider’s responsibility for a cyber security incident.
We have written in generalities, and those generalities may not hold true for your fund or your board. For example, your fund’s investment manager may also serve as a transfer agent or shareholder servicing agent, and thus hold the personal information of fund shareholders. By the same token, some corporations may face similar issues as mutual funds to the extent they rely on third-party vendors, such as transfer agents and broker-dealer intermediaries or where a corporation relies on “cloud computing” resources or other third-party data hosting. And we have not addressed possible regulatory consequences under federal or state laws that address cyber risks and shareholder and customer protections.
It is useful for mutual fund boards to draw on the experiences of corporate boards in overseeing cyber security. But there is no one-size-fits-all that governs a mutual fund board’s oversight. Rather, that oversight should be grounded in an understanding of the mutual fund’s reliance on service providers, the nature of the data they respectively hold, the resources available to the fund board in overseeing the service provider, and the degree of recourse the fund might have to that service provider in the event of a cyber security failure. In all these areas, the business context in which a mutual fund board operates may differ from that of a corporate board.
John Baumgardner is a partner at Sullivan & Cromwell in New York, concentrating on independent trustee engagements. Roger Joseph is a partner at Morgan Lewis in Boston, whose investment management practice includes representing funds, sponsors and independent directors.