The SEC’s decision earlier this year to withdraw its proposed cybersecurity rules for investment advisers and funds removed the prospect of prescriptive federal requirements for the asset management industry.
The rules would have mandated formal cyber policies, set incident reporting timelines, and established explicit board oversight obligations.
But the absence of a final rule does not diminish a board’s responsibilities.
Directors are still fiduciaries under the Investment Company Act of 1940 and the Advisers Act, which means it is their responsibility to oversee the way fund advisers and key vendors manage cyber risks.
“Boards aren’t responsible for setting up an appropriate cybersecurity program,” said Carolyn McPhillips, president of MFDF, formerly the Mutual Fund Directors Forum. “Instead, it’s their role to oversee what the adviser and other service providers are doing. Boards simply don’t have the expertise for this, since the threat methods change all the time.”
Oversight is not execution, but knowing the right questions to ask still takes some preparation, according to Thomas Kim, CEO of the Independent Directors Council (IDC).
“Cybersecurity risk is one that in recent years has gained prominence for good reason,” he said. “With rapid technological developments, both as a tool and as a threat, boards are becoming more educated and engaged in this area.”
While the SEC could revisit rulemaking, directors are expected to rely on fiduciary duty, rigorous oversight, and proactive questioning for now, Kim said.
“Regardless of whether there’s regulation, the importance of cybersecurity risk management is absolute,” Kim said. “If a breach happens in part of a financial services firm, it could potentially affect the interests of the fund and its shareholders. Boards need to ensure preparedness now—not after the fact.”
Heightened accountability in a principles-based framework
“Boards should be asking advisers whether they’re using multifactor authentication, whether vendors are tested regularly, and whether there’s a clear incident response plan,” said Tracy Soehle, associate general counsel at the Investment Adviser Association (IAA).
Directors don’t need to know every technical detail, she said, but they should know enough to be confident that advisers have robust plans in place to counter rapidly developing risks.
For directors, McPhillips and Kim agreed, the main goal is to make sure advisers have set up both robust programs and response plans, especially given the variety in structure across fund complexes.
“Funds that are part of large financial services companies like banks are going to have cybersecurity programs that look a lot different than a standalone fund in a small complex,” McPhillips said. “Boards need to understand where their funds sit and what kinds of resources the adviser is putting into cybersecurity.”
Without prescriptive rules, boards must assess risks specific to their funds and ensure oversight matches the scale of operations.
“Stepping back from prescriptive rulemaking hands boards more discretion, but it also heightens accountability if something goes wrong,” said Aisha Hunt, founder of Kelley Hunt, PLLC. “Principles-based oversight requires sharper questions and stronger documentation.”
“With federal prescriptive rules off the table for now, state laws and regulatory frameworks, from New York to California, are setting the effective baseline,” Hunt said. “Boards should be actively benchmarking advisers and vendors against those standards.”
Emerging risks: AI, crypto, and beyond
Evolving technologies add urgency, McPhillips warned. AI introduces new vulnerabilities in data protection, for example, while crypto assets pose unique risks in safeguarding access, she said.
“Technologies can be powerful tools, but they can also be used in ways that are antithetical to the interests of investors,” Kim agreed. “Boards need to think about digital assets, tokenization, and artificial intelligence not only as innovations but also in the context of cybersecurity risk.”
And, increasingly, boards are asking advisers about how they prepare to deal with those risks, he said.
“What is the risk mitigation strategy?” Kim asked. “What prevention tools are in place? Have there been tabletop exercises or simulations to test readiness? And if a breach occurs, is there clarity on how the firm will respond to protect investors?”
To answer those questions, boards should be pushing advisers to look ahead, according to Nicole Baker, associate chief counsel at IDC.
“Boards may want to ask questions about plausible cyber risk scenarios that are of most concern to the adviser,” she said. “What is the strategy if those scenarios materialize, and what would be the financial and nonfinancial impacts?”
They also need to look clearly at risks outside the fund complex, Soehle said. “A weak link in the vendor chain can expose the fund just as much as an internal breach,” she said, urging directors to press advisers on how they vet outside providers.
Directors should also look into financial countermeasures, including cyber insurance plans designed to help pay the cost of mitigation and penalties when counter-threat efforts don’t go far enough, Soehle said.
“Cyber insurance policies vary widely. Some cover regulatory fines, others cover remediation or notification costs,” she noted. “Directors should be clear on what’s included and whether there are any gaps,” she said.
Staying one step ahead: Fund director oversight of AI
Fund boards seek guidance on oversight of AI risks that remain unclear
Ransomware gang complains to SEC that victim didn’t report data breach
Pressure grows on fund boards as crypto advances in DC
SEC taps out on 14 stalled rule proposals
