Focus on Funds
How Should Fund Boards Engage on Cybersecurity?
In the March 3, 2017, edition of Focus on Funds, PIMCO Global Information Security Officer Daniel Hooper examines the best way for boards and cybersecurity experts to work together.
Stephanie Ortbals-Tibbs, media relations director, ICI: What’s the key to ensuring your fund board is as effective as possible when it comes to cybersecurity? Recently, I got some advice at ICI’s latest cybersecurity conference.
Daniel Hooper, global information security officer, PIMCO: Cybersecurity is such a wide area of expertise, and boards are just starting to become more aware of cybersecurity as a risk to the firm, be it in the operational risk area, be it in the technology risk area—boards are really evolving their understanding.
And so I think one of the key takeaways from the panel was really about educating the board. How do we—as cybersecurity experts—better educate the board, so that they can ask more relevant questions of us, so it becomes this sort of feedback loop? Over time, boards are starting to ask cybersecurity experts to present at a quarterly meeting, maybe annually—I think the ask is becoming more and more. That continual education and that evolution of reporting is becoming really topical.
Ortbals-Tibbs: So how do you get to the “goldilocks” amount of information—not too much and not too little?
Hooper: Yeah, because boards still need to remain fairly independent, I think, and have that governance and oversight role. They don’t want to get into the operational detail of it; they don’t want to be part of the incident response program; they don’t want to be day-to-day managing the firm, the underlying management of the company. So giving them operational metrics—how many patches did we roll out this month, how many phishing attacks did we have?—may be too much information for the boards, and they may not be able to digest it enough.
But we need to be able to give them more risk-based metrics—what are the risks to the firm, what’s our ability to effectively manage money for our clients?—and those kinds of things. How can we get them comfortable by giving them more of those high-level metrics and reporting?
Ortbals-Tibbs: Another big question in the industry right now, and one that you all discussed, is whether or not boards need to bring on a specific cybersecurity expert.
Hooper: That was a great topic of conversation for the board, and I think the general consensus—from the panel—through the chief compliance officer, and the member of the board that we had in the other [panel], the chief information security officer—was that, at this time, it’s probably not the best idea to have a specific cybersecurity expert on the board, because then you’d need to balance that with having an operational risk component or a financial risk component member on the board. At the moment it’s really our job as presenters to those boards to educate them, bring them up to speed on these particular topic areas, without having an expert on the boards themselves.
Ortbals-Tibbs: So it’s interesting to realize that this issue is new, but that it resembles so many others in the industry where there is a way to bring this in to the board without putting an expert in cybersecurity on the board.
Hooper: That’s right. And I think that’s new for a lot of the regulators. It’s a very hot topic in the press—you know, “x” company getting hacked makes great headlines. It’s a great soundbite for news reporters, and it’s good conversation around the water cooler at the office. People tend to be very interested in the subject-matter expert, and I think that’s coming through in some of the questions we’re starting to get from the less-technical folk at the board, because it’s an unknown quantity.
They need to know more about it, and we need to get better about educating them, but without putting that expert on the boards themselves.