News and Resources

Focus on Funds

Fund Board Directors Focus on Cybersecurity

Fund board directors are engaging closely to oversee fund cybersecurity and adoption of new technology. In the September 7, 2018, edition of Focus on Funds, Joanne Pace, independent director with OppenheimerFunds and a member of IDC’s Governing Council, details boards’ role in managing technological risks.


Stephanie Ortbals-Tibbs, ICI director of media relations: For everyone in asset management, cybersecurity’s a major concern. But fund board directors have particular responsibilities, interests, and roles they need to serve as they serve fund investors. At ICI’s recent General Membership Meeting, cybersecurity and board directors were top of the agenda at the Independent Directors Council meeting. And here are some key takeaways from their conversation.

Joanne Pace, OppenheimerFunds independent director and IDC Governing Council member: I think when people hear “cybersecurity,” they think, “Oh my gosh, complicated, technical, IT, and I’m not an IT expert.” And so what we really tried to dispel or demystify right off the bat was to say cybersecurity is a risk management issue. And it’s about the protection of data—data and information security.

The other thing we were really trying to convey to the audience was about the fact that it’s about what the fund assets are, and where are they, and how protected are they. And I think with a fund, there are a lot of third parties that house data. And so, knowing where all that data is and how protected it is, is really, really an important part of understanding the risk management element of cybersecurity.

Ortbals-Tibbs: Where are your crown jewels, and where are they locked up?

Pace: Exactly.

Ortbals-Tibbs: So it’s interesting [that] when you’re talking about cybersecurity, you’re talking about technology; you’re talking about its pros and cons. There are ways it can really help in this effort; there are ways that it might seem like it’s going to be harder. But you were able to kind of cut through that a little bit and think about how technology can be helpful.

Pace: [The] cloud and blockchain—they’re scary topics, and people get concerned about them. It is about really understanding—what is the new technology, and is it going to help me? Is it going to hurt me? And some of it will help.

Every day, there’s new technology that will help in terms of detecting patterns about information security and will create capabilities to really help you protect your data.

Ortbals-Tibbs: And also, of course, whenever major new issues like this are developing, and fund board directors are looking at them, they’re always trying to think, “Okay, so what’s our role in this? What do we need to do?”

Pace: That’s right; it really is oversight. When you think about cyber as one of the enterprise risks that we have oversight over, it happens to have a technical association. But when you think about it, it’s really about risk management. And we really offer the audience a framework around what are those discussions, what the governance practice is, how do you benchmark your overall program. And so we really kind of dug in on what are the things that the fund board should be seeing, the conversations they should be having, and really, again, the evolving governance practices around our oversight role.

Additional Resources