Focus on Funds

As Cybersecurity Heats Up, So Do Cyber Regulations

An onslaught of regulations focused on the digital economy is injecting new complexity into fund management. In the February 1, 2019, edition of Focus on Funds, ICI Chief Information Security Officer Advisory Committee member Mike Catlin discusses best practices for responding.

Transcript

Stephanie Ortbals-Tibbs, ICI director of media relations: Can you solve a Rubik’s Cube, and just how fast can you do it? Well, that same feeling is just what cybersecurity experts feel as they manage today’s fast-moving, complicated regulatory environment governing cybersecurity. For funds and their investors, the stakes are high, and the regulations are complicated. I got a sense of what’s going on in the industry these days from one of our experts.

Mike Catlin, member of the ICI Chief Information Security Officer Advisory Committee: How do you look at the regulation, how do you make sure that it’s compliant with, and how do you build it around a risk-assessment program?

Ortbals-Tibbs: Mike, when you talk about risk assessment, that’s really about trying to think smart when you approach regulation—not just kind of go into it, trying to engage in a tick-the-boxexercise which could over- or underdo it.

Catlin: You want to look at your organization, how your organization is formed, the unique risks that you have. Of course, there are shared risks across the industry. But each organization is put together [differently]. So, if you put together a risk assessment top to bottom, then prioritize against those risks, you can build a program that’s going to best protect you.

With that foundation in place, I think then you can look at how you might adjust what you do to make sure you’re complying with all the rules. But really starting with the risk assessment is going to put you in the best place for achieving a program that protects the information of shareholders and protects the organization.

Ortbals-Tibbs: So when you try to look at this, what do you see out there? You have, what, 42 states now that just in the past year passed regulations?

Catlin: In 2017, with another 28 or so in 2018. And some of those rules were not passed, but the fact that there were over 200 in each year that were proposed and acted on really tells you that there’s a lot of focus in this area, which I think is a good thing at the end. But it does create a myriad of things to look at, and it puts our chief compliance officers and CISOs [chief information security officers] and everyone else in a position of having to understand many different ways of doing the same thing.

Additional Resources

• What to Ask When Assessing Information Security Programs
• Information Security Threat Mitigation and Program Development
• ICI Viewpoints posts on Cybersecurity Issues
• Focus on Funds: Funds Are Expanding Their Cybersecurity Fight