October is cybersecurity awareness month. Public sector investment programs, no matter what their size, are a prime target for cybercrime.   This research note focuses on the responsibilities of investment program managers (treasurers, chief investment officials and members of oversight boards) related to cybersecurity.    It is not meant to suggest specific policies or steps that could reduce the risk of cybersecurity breaches.  These are best left to technical and legal experts.  Rather this note lays out a framework for oversight by management and boards that have fiduciary responsibilities for investment assets.  

The Context

There’s a recent podcast on the Harris School of Public Policy series Public Money Pod titled Smart Investments for Cybersecurity that can serve as a refresher/reminder that cybersecurity threats are real and public funds investment programs can be a target.

Perhaps it is a small-scale attack—compromising a single account to steal a few hundred bucks—or perhaps it is more ambitious—holding vital investment or payment systems for ransom—but threats are a growing risk.

With the proliferation of generative learning models—what’s popularly known as artificial intelligence—the technology available to support bad actors will grow and proliferate, to no good result.  For example, legacy systems that rely on voice recognition may be a lot less secure than they were a few years ago.  

What does all of this have to do with public funds investment?  Investment systems and processes are very vulnerable because the nature of their activities--involving large sums of money, multiple third parties and a fast pace of activities—attracts notice from criminals.

It’s Not an Arms Race

 There is a tendency to see cybersecurity as a kind of arms race where efforts are focused solely on overcoming or out-forcing the bad guys.  If eight-character passwords are vulnerable, go to 12 characters.  Put resources into closing the “back doors” more quickly.   But experts say that in an important respect cybersecurity risk mitigation is not about arming the machines, it is about the culture of an organization.  We can’t expect investment officials (or trustees of LGIPs) to be password experts.  But management and supervisory boards can and should keep a focus on cybersecurity, recognize that it takes money and other resources to protect systems from damage, plan for “when” and not just “if” and require accountability of third parties who are relied upon to implement cybersecurity policies and procedures. 

To illustrate this perspective, the biggest source of risk is not a bug in a computer system or a weak password—though these can be problematic-- but the person who clicks on a link to track a fictitious express delivery package or to access a “special” $50 gift card and ends up providing a criminal with access.   

Manager and Board Responsibilities. 

What to do?  Let’s start with a clear statement of roles and responsibilities.  

  Treasurers, trustees of pool boards and investment program managers are fiduciaries for the assets they oversee.  This doesn’t mean they are responsible for designing or implementing cybersecurity programs.  This can be delegated to experts.  But as fiduciaries they have a duty of care:   they are responsible for overseeing management, assuring that experts are employed, being vigilant and asking questions about the organization’s cybersecurity program.  And if they are overseeing assets that belong to pool investors, they should consider what responsibilities they have for timely disclosure of cybersecurity breaches that could affect these investors.   

A Framework for Treasurers, Investment Officials and Boards

To develop the framework described below we looked to several sources for guidance.  (There are references in the End Notes.) The Securities and Exchange Commission in 2022 proposed rules (still under consideration) that would apply to registered investment companies and investment advisors, and also adopted a rule in July that applies to public companies.  From these rules we can distill guidelines for managers and boards. Boiled down to their essence, the hundreds of pages of rules and commentary from industry experts resolve to a few principles:

• Investment organizations should have written policies and procedures that are appropriate to their business.
• The policies and procedures should be based on risks that are specific to the organization’s business.
• Reporting and disclosure should be a component of the policies and procedures.
• Policies and procedures should include incident response and recovery plans.
• Policies and procedures should be kept current.
• Fiduciaries should exercise oversight of those responsible for cybersecurity.

Partly in  response to the SEC’s proposed rules the Mutual Fund Directors Forum (an independent non-profit organization that serves the independent directors of mutual funds) and Deloitte published a white paper last year on of the role of mutual fund directors in the cybersecurity space that provides a good roadmap of responsibilities.  

Treasurers and boards of local government investment pools are not subject to the SEC’s rules in this regard, but the rules may be viewed as providing a base of best practices. And the knowledge base that is created by those who proposed the rules and by the industry commentators who submitted hundreds of pages of comments provide a strong grounding for public officials seeking to implement best practices in this area.

 With this background we suggest the following framework for cybersecurity policy:

1. Organizations should develop and keep current written cybersecurity policies and procedures that are tailored to the business of the organization.  Policies and procedures should be clear about who is responsible for cybersecurity.  This may involve third parties (see item 2 below), other executives of the organization or a committee of a pool board.   Best practice is to align cybersecurity with the risk management function of an organization. For a board, this might involve a risk management committee, or it may be the entire board.  Treasurers that have assigned risk management to an executive, or boards that have a risk management committee should make clear that cybersecurity is part of the charter of responsibilities. Policies and procedures should provide for the treasurer/board to exercise responsibility for supervision/oversight.
2. Where an organization retains an investment advisor, the organization may assign oversight of other service providers (banking, custody, fund accounting, shareholder recordkeeping, etc.) to the investment advisor.  If the organization relies on an investment advisor to oversee/monitor cybersecurity at other outside parties (banks, recordkeepers, etc.) this should be explicit in the organization’s policies and procedures.  The organization should have procedures to monitor this aspect of the advisor’s responsibilities.  Periodic review of the advisor’s performance under its contract should include an element to assess how it is carrying out the assigned cybersecurity responsibilities.    The organization should have a procedure to be informed about the advisor’s cybersecurity monitoring of other outside parties and its findings related to these parties.  Where an organization does not designate an advisor to oversee cybersecurity of other service providers, or where one or more service providers are outside of the advisor’s oversight, the organization’s policies and procedures should include details on how the organization will monitor this directly.   
3. Organizations should conduct a periodic review of cybersecurity risks and the effectiveness of their cybersecurity programs.  Those responsible, either directly or by delegation, for cybersecurity, should report on risk and effectiveness so that the treasurer/ chief investment official or board has an opportunity to be informed and ask questions.   
4. Organizations should have an incident response plan that contemplates cybersecurity events of various types and details responsibilities and response times.  If the plan is developed and maintained by an investment advisor, the organization/board should encourage tabletop exercises by responsible parties and require that the investment advisor report the results of tabletop exercises to the board as part of it its periodic review of programs. The plan should be explicit on what involvement the board (directly or through a board officer or committee) wishes to have in managing/overseeing the response to any specific cybersecurity incident considering, among other things the level of severity, demands for timely action and accountability for the result. The incident response plan should consider procedures/constraints that public agencies may have in responding to such things as demands for ransom payments or confidentiality.
5. Organizations/boards should formalize a reporting and disclosure plan that will be used in the event of a cybersecurity incident.  Because these incidents happen without notice, often require quick response and may implicate sensitive matters (payment of a ransom, compromise of outside investor information, etc.) it is best to consider reporting and disclosure before the heat of battle, as it were.   If third parties are involved, the reporting policy should specify timeframes for reporting/disclosure.  The policy should also consider informing outside investors who may be affected by a breach that involves banking or other confidential information of or related to the investors.
6. Organizations should conduct a periodic review of their cybersecurity program, including elements implemented internally and those assigned to third parties.  This periodic review should include a focus on third party risk.  Parties should be asked to self-assess to identify any internal deficiencies in their efforts.
7. Cybersecurity programs for pools should include an element of investor/participant training.  Participants/investors may be perceived by bad actors as a weak link and thus the focus of compromise efforts that ultimately affect the pool.  Training and equipping investors to support the organization’s cybersecurity efforts should be a part of ongoing efforts.
8. Organizations should consider the use of cybersecurity insurance.  The place of insurance in a cybersecurity program is complicated.  Outside parties may have their own insurance in which case the organization should understand whether there are gaps in coverage.  Moreover, insurance doesn’t compensate for damage to the reputation of the organization that may stem from a cybersecurity breach.  But insurance may bring with it outside expertise in incident management and may facilitate payment of ransoms which could be a significant issue for a public entity.

The Bottom Line.

 Treasurers/chief investment officials and boards are fiduciaries.  Their role is to oversee, remain vigilant, ask questions, and satisfy themselves that those to whom they have delegated responsibility carry out those responsibilities.

End Notes:

This research relies on a number of sources that are available to public agencies.  Among the most useful:

1. A GFOA 2020 publication A Byte of Prevention. https://gfoaorg.cdn.prismic.io/gfoaorg/e003b58e-af45-4f4d-a432-f6e0eeb1afa4_A-Byte-of-Prevention_2020.pdf
2. The SEC’s proposed rule on Cybersecurity Risk Management for Investment Advisors and Registered Investment Companies. https://www.sec.gov/rules/2022/02/cybersecurity-risk-management-investment-advisers-registered-investment-companies-and
3. The SEC Office of Compliance Inspections and Examinations Cybersecutiry and Resiliency Observations. https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf
4. An August  2023 white paper  by ACA Global that contains an analysis of the SEC’s proposed cyber rule https://www.acaglobal.com/insights/white-paper-unveiling-industry-perspectives-secs-proposed-cyber-rule-2064-9
5. Deloitte and Mutual Fund Directors Forum White Paper on Cybersecurity, The Role of the Mutual Fund Director. https://www2.deloitte.com/content/dam/Deloitte/us/Documents/strategy/us-advisory-mfdf-cyber-final.pdf