By Hank Clement
With the SEC’s continued focus on cyber security as a priority, mutual fund boards want to ensure they are properly protected in the event of a breach. When we evaluate overall protection, insurance is only a small part of the equation. The most important aspect of cyber risk management is the structure of the pre-breach and post-breach services that are provided to help avoid and, if necessary, respond to, a breach.
Many mutual funds have their data handled by other parties, including but not limited to administrators, transfer agents and advisors, and have very little, if any, direct exposure to a cyber loss. The risk lies with the parties that have control of the shareholder data. If there is a data breach, however, the fund could be negatively impacted, so mutual fund directors need to conduct due diligence to be sure they are comfortable with a vendor’s levels of data security and breach response plans.
Once a board is comfortable with network security, the focus should shift to how the vendor is going to respond to a breach. This is equally as important as prevention and security. Having the infrastructure in place to immediately respond to a breach is vital in terms of containing overall costs and limiting reputational damage.
After asking the right questions, the board will likely find that a significant part of the vendor’s post-breach response plan will be reliance on, and partnership with, a cyber insurance carrier. One of the most valuable benefits of a cyber insurance policy is not just the insurance coverage itself, but rather the accessibility to the carrier’s post-breach response team. This team will include a law firm to help determine legal requirements and provide counseling on how to appropriately respond in the event of a breach. In addition, it will include computer forensics, crisis management, credit monitoring and notification firms, all of which will play a key role in mitigating the overall breach damage.
As a fund director, it is also imperative to be sure that the fund’s Directors’ and Officers’/Errors and Omissions Liability Insurance Policy (D&O/E&O) does not exclude claims arising from privacy-related issues. It is important to know if an insurance carrier will provide defense costs coverage if claims are brought by shareholders for mismanagement of their data or other allegations related to a breach. The funds may not have direct privacy exposure but may easily be named in a suit by shareholders, having a potentially negative impact on the fund. This type of allegation should be defended and covered by the fund’s D&O/E&O insurer. Registered funds are also required to carry investment company blanket bonds, which will protect against employee theft and some are starting to cover some cyber-type risks.
A board should inquire about a vendor’s network security systems and that everything possible is being done to keep shareholders’ data secure. It is vital that a board know how communication of a breach is going to be handled. This needs to be done before a breach occurs so the process of notifying affected individuals can be as streamlined as possible.
Every institution may not need a separate cyber insurance policy. However, it is imperative that you have a pre-breach and post-breach plan in place to mitigate and respond to suspected and actual breaches.
Hank Clement is Managing Director, Altus Corporate Risk. Email him at [email protected].