Cyber Security (or lack of) for Mutual Funds

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
Cheego
Posts: 34
Joined: Mon Jul 18, 2016 11:57 am

Cyber Security (or lack of) for Mutual Funds

Post by Cheego » Tue Oct 10, 2017 9:19 am

Quoting another thread on this topic...

"There seem to be more cases in the media where thieves used a brokerage account to pump a thinly traded stock up. The funds they made off with were not from the hacked account, but from a legit account the used for the pre-pump buying low and the post-pump selling high. But the hacked account ended up holding almost worthless shares."

I've searched this forum and a couple others to see if anyone has ever questioned what would happen if a cyber breach occurred within an fund company. To be clear, this is not in reference to someone hacking my phone or computer and making changes to my 401K account; instead this is about a breach occurring within the fund company (Vanguard, Fidelity, etc). I will do my part to protect my account. I have diligently followed, and will continue to follow the suggestions that most fund companies post in order for them to provide some protection. It's clear from the wording that they leave themselves plenty of loopholes to get around reimbursement though.

My concern is what happens if the in-house computer system at the fund company is breached. So I emailed one of the fund companies to start the ball rolling. It was an exercise in patience and I eventually gave up. Here is an idea of how our emails went back and forth. Prepare to laugh.

Me: What kind of protection does my account have in the event of a cyber breach within your computer system?
Fund Provider: You are protected if you follow our guidelines for protecting your computer.
Me: Yes, I understand and thank you but the question is about what happens if the breach is caused by problem with your data system?
Fund Provider: We have not had a security issue in 19 years.
Me: Past performance is no indicator of future success but I want to know if your company will reimburse me if your system cause a loss of my funds.
Fund Provider: I've attached a copy of our privacy policy.
Me: Thank you. I've reviewed the privacy policy but this does not answer my question which is not about privacy.
Fund Provider: I will forward your question to a supervisor.
Me: (wait a week for a reply) :oops:
Supervisor: I understand you want to learn how to protect your account if your computer is hacked.
Me: No, I just have a simple question. What kind of protection does my account have in the event of a cyber breach within your computer system?
Supervisor: Our systems use Super-Duper Technology to provide you with the most secure system anywhere.
Me: Do you reimburse my account if funds are stolen through an act the started within your system?
Supervisor: We have a data system secured by Giant Computer Conglomerate.
Me: That is great but please answer the question.
Supervisor: Please see attached file which shows our Llyods of London policy.
Me: Thank you but this does not answer the question.
Supervisor: I'm not able to answer your question.

Now to be clear, this is just a synopsis of what happened. I was not as crass with my replies.

Later, I had this same experience with 3 other fund companies and what I concluded is that the investment companies appear to have no liability whatsoever to repay a loss of funds due to a cyber security breach that originates from within their company. I dug through PIMCO's website to find the exact text that disclaims their responsibility in several of their prospectus reports. It says:

...Cyber security failures or breaches may result in financial losses to a Fund and its shareholders. These failures or breaches may also result in disruptions to business operations, potentially resulting in financial losses; interference with a Fund’s ability to calculate its NAV, process shareholder transactions or otherwise transact business with shareholders; impediments to trading; violations of applicable privacy and other laws; regulatory fines; penalties; reputational damage; reimbursement or other compensation costs; additional compliance and cyber security risk management costs and other adverse consequences. In addition, substantial costs may be incurred in order to prevent any cyber incidents in the future. Like with operational risk in general, the Funds have established business continuity plans and risk management systems designed to reduce the risks associated with cyber security. However, there are inherent limitations in these plans and systems, including that certain risks may not have been identified, in large part because different or unknown threats may emerge in the future. As such, there is no guarantee that such efforts will succeed, especially because the Funds do not directly control the cyber security systems of issuers in which a Fund may invest, trading counterparties or third party service providers to the Funds... The Funds and their shareholders could be negatively impacted as a result.
---------------------------

I feel like I am the only one who cares about this and I hate to sound like a doomsday prepper but I think a breach at a fund company is a realistic possibility. It appears that diversification of funds is the only way to reduce exposure to this type of loss. However, since we're only 8 years from retirement and are largely in bond funds, we're starting to think about pulling everything from the market but I'm not sure what options we have regarding where to put it.

Beehave
Posts: 81
Joined: Mon Jun 19, 2017 12:46 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by Beehave » Tue Oct 10, 2017 12:11 pm

I suppose some devastating breach is possible. If it happened there would likely be reasonable remedies - - for example roll systems back to a day before (or hour before) the breach. Of course, if the breach were a rolling phenomenon over time that might not be feasible.

Suppose you witdraw funds because of the risk. No matter what you do with the funds you withdraw, there will be risk in the new placement. To me, that says diversify types of investments/holdings and diversify institutions. Not exactly the total simplification policy usually advocated in these fora, but do what you need to do to sleep soundly.

Cheego
Posts: 34
Joined: Mon Jul 18, 2016 11:57 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Cheego » Tue Oct 10, 2017 4:02 pm

Beehave wrote:
Tue Oct 10, 2017 12:11 pm
...If it happened there would likely be reasonable remedies - - for example roll systems back to a day before (or hour before) the breach. Of course, if the breach were a rolling phenomenon over time that might not be feasible.
A roll back of a backup would likely be too late. First, they dont always identify the breach right away. Second, it doesn't take long for the assets to be allocated outside of the fund to a "rogue" fund. If that happens and the money is lost from the account, it's clear there will be no reimbursement.

Beehave
Posts: 81
Joined: Mon Jun 19, 2017 12:46 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by Beehave » Tue Oct 10, 2017 7:03 pm

I think you're right, the money would have vanished before rollback could be effective. Rollback is much more for mistakes or system errors that can be undone among honest parties.

Still, diversification across assets and institutions seems safer than moving to one type of asset and one institution. "Black swan" events could range among hyperinflation, depression, devaluation, war, massive cyber hack/crime, civil unrest, and who knows what else. I don't believe there is any one resource and way of holding it that is safe from all. I'd be interested in your thoughts about optimizing safety.

Call_Me_Op
Posts: 6581
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Cyber Security (or lack of) for Mutual Funds

Post by Call_Me_Op » Wed Oct 11, 2017 7:38 am

Cheego,

I share your concern. I have been very concerned that most or all of the customer protection guarantees have many conditions around them and in effect, compensation for customer losses is at the discretion of the firm. This is very different from credit card, debit cards, and bank accounts - which have strong protections. I think this issue is vastly under-recognized, but in my view, this is the greatest threat to one's wealth.

I diversify broadly across custodians in an attempt to mitigate this risk. I also try to follow all other guidelines - but I am still quite unsatisfied.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

livesoft
Posts: 57216
Joined: Thu Mar 01, 2007 8:00 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by livesoft » Wed Oct 11, 2017 7:42 am

I think the laws of the US and the courts will help you out. It may take a while and I suppose the mutual fund company could declare bankruptcy, but I imagine only state actors would be able to take out a large mutual fund company and that would lead to war.
This signature message sponsored by sscritic: Learn to fish.

Mordoch
Posts: 338
Joined: Sat Mar 10, 2007 11:27 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Mordoch » Wed Oct 11, 2017 7:56 am

To summarize, there is no legal question the mutual fund is financially liable if the breach is internal.

In terms of the warning you cited, it should be noted that outside of Vanguard, shareholders in the context mentioned means the investors in the company that owns the mutual fund(s) and the fund itself could be damaged by the impact on its reputation.

The idea as suggested that a rollback could be too late for a major breach does not make sense if you are talking about an actual asset transfer. The company would have at least one business day to roll things back while detection of what had happened would occur far more quickly in that case (maybe an hour if something prevented faster detection somehow). The idea they wouldn't catch the breach right away (if the attackers proceed to exploit the breach by taking actual actions) does not remotely resemble the reality in this sort of situation because a major unexplained withdrawal of funds or sales/ purchases of stocks is exactly the sort of thing mutual companies are specifically certainly going to notice and detect. (They have to watch out for it somehow happening accidentally or due to some sort of computer error if nothing else.)
Last edited by Mordoch on Wed Oct 11, 2017 8:19 am, edited 2 times in total.

Mordoch
Posts: 338
Joined: Sat Mar 10, 2007 11:27 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Mordoch » Wed Oct 11, 2017 8:04 am

Beehave wrote:
Tue Oct 10, 2017 7:03 pm
I think you're right, the money would have vanished before rollback could be effective. Rollback is much more for mistakes or system errors that can be undone among honest parties.
You're simply mistaken on this point. Realistically the issue of time in pulling back an ACH transfer or other transfer methods like that would apply would impact regular businesses, not a major mutual fund where they are keeping a far more tighter eye on the funds and fund transfers and would have plenty of time to reverse things for a major asset transfer which would actually impact the mutual fund holders. There are also a few theoretical situations where the third party custodian bank would end up liable and paying rather than those with money in the mutual funds.
Last edited by Mordoch on Wed Oct 11, 2017 8:26 am, edited 1 time in total.

donfairplay
Posts: 96
Joined: Mon Oct 06, 2008 8:16 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by donfairplay » Wed Oct 11, 2017 8:10 am

You pays your money, you takes your chances.

KlangFool
Posts: 7195
Joined: Sat Oct 11, 2008 12:35 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by KlangFool » Wed Oct 11, 2017 8:14 am

OP,

I prefer to go the other way and assume that there will be a breach in any company. Then, protect against whatever could happen to me.

In the case of the mutual fund, any account changes are alerted to my email account and they would send a letter too. Ditto for any transaction.

Money could only go out to a linked bank account. And, it takes several days for a bank account to be linked. I limit the number of mutual funds that have a link to account and number of bank account to be linked.

KlangFool

Mordoch
Posts: 338
Joined: Sat Mar 10, 2007 11:27 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Mordoch » Wed Oct 11, 2017 8:17 am

Call_Me_Op wrote:
Wed Oct 11, 2017 7:38 am
Cheego,
I share your concern. I have been very concerned that most or all of the customer protection guarantees have many conditions around them and in effect, compensation for customer losses is at the discretion of the firm. This is very different from credit card, debit cards, and bank accounts - which have strong protections. I think this issue is vastly under-recognized, but in my view, this is the greatest threat to one's wealth.
The thing is there is not even a remote legal question about who is legally responsible if the mutual fund gets hacked, which is why the guarantees don't spend much time with it and those called at customer service might get confused at the question when Cheego called. It very clearly is legally the mutual fund's responsibility. (The only question would be if the mutual fund could also fix some legal liability at a third party during a lawsuit on their part against the third party, but that would only impact where the money is ultimately coming from to make the shareholder fully whole.)

The only complication would be if the mutual fund insisted it must have been you who were hacked rather than them. However this is mostly a theoretical concern because a hacker is not going to stop at just taking money out of one shareholder if they breach the mutual fund's systems which would make the true cause quickly obvious. (Basically just about the only risk might be if you absolutely insisted on using the weakest password around for your mutual fund account so it was broken after the hashed password was stolen why somehow all the other stolen password stolen in the breach were much stronger so your account was the only one compromised, which only obviously can be avoided by not using a stupid password for your account. There is one other possible scenario where the hacker is able to use a password they found after hacking another account of yours to easily hack your hashed mutual fund account, but this risk is negated by not using the same password for other accounts.) So ordinarily in such a scenario at worse your looking at a delay until the mutual fund admits responsibility. (Another practical issue is a major breach is going to lead to a law enforcement investigation, and members of the mutual fund company theoretically trying to conceal the cause source of the accounts being compromised would potentially actually lead the those company employees facing obstruction of investigation criminal charges among other things.)
Last edited by Mordoch on Wed Oct 11, 2017 8:35 am, edited 1 time in total.

Call_Me_Op
Posts: 6581
Joined: Mon Sep 07, 2009 2:57 pm
Location: Milky Way

Re: Cyber Security (or lack of) for Mutual Funds

Post by Call_Me_Op » Wed Oct 11, 2017 8:34 am

Mordoch wrote:
Wed Oct 11, 2017 8:17 am
Call_Me_Op wrote:
Wed Oct 11, 2017 7:38 am
Cheego,
I share your concern. I have been very concerned that most or all of the customer protection guarantees have many conditions around them and in effect, compensation for customer losses is at the discretion of the firm. This is very different from credit card, debit cards, and bank accounts - which have strong protections. I think this issue is vastly under-recognized, but in my view, this is the greatest threat to one's wealth.
The thing is there is not even a remote legal question about who is legally responsible if the mutual fund gets hacked, which is why the guarantees don't spend much time with it and those called at customer service might get confused at the question when Cheego called. It very clearly is legally the mutual fund's responsibility. (The only question would be if the mutual fund could also fix some legal liability at a third party during a lawsuit on their part against the third party, but that would only impact where the money is ultimately coming from to make the shareholder fully whole.)

The only complication would be if the mutual fund insisted it must have been you who were hacked rather than them. However this is mostly a theoretical concern because a hacker is not going to stop at just taking money out of one shareholder if they breach the mutual fund's systems which would make the true cause quickly obvious. (The only conceivable risk might be if you absolutely insisted on using the weakest password around for your mutual fund account so it was broken after the hashed password was stolen why somehow all the other stolen password stolen in the breach were much stronger so your account was the only one compromised, which only obviously can be avoided by not using a stupid password for your account.) So ordinarily in such a scenario at worse your looking at a delay until the mutual fund admits responsibility. (Another practical issue is a major breach is going to lead to a law enforcement investigation, and members of the mutual fund company theoretically trying to conceal the cause source of the accounts being compromised would potentially actually lead the those company employees facing obstruction of investigation criminal charges among other things.)
There is no question that the legal protections around brokerage assets are much weaker than those around banks. For example, if you fall victim to a sophisticated phishing scheme, the brokerage firm has no legal obligation to make you whole. In the case of a bank, as long as you report it within 60 days (or so) you will have little or no liability. That's just one example; there are so many way that crooks can steal money from your account. And there are a lot of crooks out there.
Best regards, -Op | | "In the middle of difficulty lies opportunity." Einstein

Mordoch
Posts: 338
Joined: Sat Mar 10, 2007 11:27 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Mordoch » Wed Oct 11, 2017 8:40 am

Call_Me_Op wrote:
Wed Oct 11, 2017 8:34 am
There is no question that the legal protections around brokerage assets are much weaker than those around banks. For example, if you fall victim to a sophisticated phishing scheme, the brokerage firm has no legal obligation to make you whole. In the case of a bank, as long as you report it within 60 days (or so) you will have little or no liability. That's just one example; there are so many way that crooks can steal money from your account.
While this point is essentially true, it has nothing to due with the specific questions about the legal protections in a situation where the mutual fund is actually hacked or otherwise compromised internally.

Such a situation is considered very different legally speaking from any scenario involving customer negligence of any sort (or at least the customer somehow being the cause of the account compromise) and it clearly becomes the mutual fund's responsibility legally at that point. As noted, the only real concerns (beyond temporary inconvenience and emotional unpleasantness while the mutual fund figures things out) involve a situation where you password is so horrible the mutual company can't figure out that even though your account was the only one comprised the source was a hack on their end. It should be noted that even in such a situation (which you can avoid with reasonable password security or better yet a password manager) usually a hack would still lead to enough accounts being breached to make it obvious to the mutual fund that the cause is on their end.

Cheego
Posts: 34
Joined: Mon Jul 18, 2016 11:57 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Cheego » Thu Oct 12, 2017 6:58 pm

Mordoch wrote:
Wed Oct 11, 2017 8:17 am
The thing is there is not even a remote legal question about who is legally responsible if the mutual fund gets hacked, which is why the guarantees don't spend much time with it and those called at customer service might get confused at the question when Cheego called. It very clearly is legally the mutual fund's responsibility.
What is "clearly" in this case? Can you cite case or law? The only thing that is clear is what they have provided in the prospectus which says clearly that there are not responsible for reimbursement. They may face legal action in a breach to their system but they disclaim any kind of reimbursement for it.

Surely their reputation would go down the drain and I would guess that it would end their business (being that most people would yank money out of custodians that are losing it to cyber issues) but that doesn't mean I'll see a reimbursement check when it happens to me.

The call centers surely were confused by my question but the emails that were escalated to another team at some of the funds indicated to me that they are not able to conceive of a breach and thus have no real plan to for it. For instance, one fund company sent me an email saying they needed more time (at least a week) to formulate an answer!

I also fought this issue with our 401k company and they actually sent me a well-written addendum to our agreement indicating full reimbursement for cyber theft originating within their organization. It's a small step but it is progress.

I just think these companies can't fathom the cyber theft idea or they do get it but they know there is no way to reimburse clients for a large scale loss.

Cheego
Posts: 34
Joined: Mon Jul 18, 2016 11:57 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Cheego » Thu Oct 12, 2017 7:04 pm

KlangFool wrote:
Wed Oct 11, 2017 8:14 am

In the case of the mutual fund, any account changes are alerted to my email account and they would send a letter too. Ditto for any transaction.

Money could only go out to a linked bank account. And, it takes several days for a bank account to be linked. I limit the number of mutual funds that have a link to account and number of bank account to be linked.
I sincerely mean it when I write that no offense intended but, you're not thinking outside the box. Cyber insecurity goes way beyond what you're suggesting here. I do the same thing you do but it goes much deeper than that to get protection if you understand what cyber crooks could do. If this were a house, the very first thing the crooks would do is turn off the alarm. Then they steal the jewelry! :twisted:

KlangFool
Posts: 7195
Joined: Sat Oct 11, 2008 12:35 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by KlangFool » Thu Oct 12, 2017 7:44 pm

Cheego wrote:
Thu Oct 12, 2017 7:04 pm
KlangFool wrote:
Wed Oct 11, 2017 8:14 am

In the case of the mutual fund, any account changes are alerted to my email account and they would send a letter too. Ditto for any transaction.

Money could only go out to a linked bank account. And, it takes several days for a bank account to be linked. I limit the number of mutual funds that have a link to account and number of bank account to be linked.
I sincerely mean it when I write that no offense intended but, you're not thinking outside the box. Cyber insecurity goes way beyond what you're suggesting here. I do the same thing you do but it goes much deeper than that to get protection if you understand what cyber crooks could do. If this were a house, the very first thing the crooks would do is turn off the alarm. Then they steal the jewelry! :twisted:
Cheego,

Please explain what out of the box thinking that you are suggesting?

<< I do the same thing you do but it goes much deeper than that to get protection if you understand what cyber crooks could do. >>

By the way, we do have professional cybersecurity expert in our forum. So, I am not quite sure your understanding of cyber crooks is greater than our expert at the forum.

KlangFool

Cheego
Posts: 34
Joined: Mon Jul 18, 2016 11:57 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Cheego » Thu Oct 12, 2017 7:55 pm

KlangFool wrote:
Thu Oct 12, 2017 7:44 pm
Cheego wrote:
Thu Oct 12, 2017 7:04 pm
KlangFool wrote:
Wed Oct 11, 2017 8:14 am

In the case of the mutual fund, any account changes are alerted to my email account and they would send a letter too. Ditto for any transaction.

Money could only go out to a linked bank account. And, it takes several days for a bank account to be linked. I limit the number of mutual funds that have a link to account and number of bank account to be linked.
I sincerely mean it when I write that no offense intended but, you're not thinking outside the box. Cyber insecurity goes way beyond what you're suggesting here. I do the same thing you do but it goes much deeper than that to get protection if you understand what cyber crooks could do. If this were a house, the very first thing the crooks would do is turn off the alarm. Then they steal the jewelry! :twisted:
Cheego,

Please explain what out of the box thinking that you are suggesting?

<< I do the same thing you do but it goes much deeper than that to get protection if you understand what cyber crooks could do. >>

By the way, we do have professional cybersecurity expert in our forum. So, I am not quite sure your understanding of cyber crooks is greater than our expert at the forum.

KlangFool
I'm not interested in getting in a battle here buddy. That was never my intent. I never claimed to know more than the expert (or anyone else). My point was made in the last two sentences I wrote above. I too have email alerts but any intelligent cyber crook would disable the email alerts before taking the funds. The email alerts are not all that helpful from a security issue that originates from within the custodian.

KlangFool
Posts: 7195
Joined: Sat Oct 11, 2008 12:35 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by KlangFool » Thu Oct 12, 2017 8:12 pm

Cheego wrote:
Thu Oct 12, 2017 7:55 pm

I'm not interested in getting in a battle here buddy. That was never my intent. I never claimed to know more than the expert (or anyone else). My point was made in the last two sentences I wrote above. I too have email alerts but any intelligent cyber crook would disable the email alerts before taking the funds. The email alerts are not all that helpful from a security issue that originates from within the custodian.
Cheego,

<< I too have email alerts but any intelligent cyber crook would disable the email alerts before taking the funds.>>

If cybercrook is smart enough, they would know where to get their money. Aka, where are the easy targets. Why would they target individual fund owner? That is too much effort for a small amount of money.

KlangFool

JBTX
Posts: 1692
Joined: Wed Jul 26, 2017 12:46 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by JBTX » Thu Oct 12, 2017 8:49 pm

Cheego wrote:
Thu Oct 12, 2017 6:58 pm
Mordoch wrote:
Wed Oct 11, 2017 8:17 am
The thing is there is not even a remote legal question about who is legally responsible if the mutual fund gets hacked, which is why the guarantees don't spend much time with it and those called at customer service might get confused at the question when Cheego called. It very clearly is legally the mutual fund's responsibility.
What is "clearly" in this case? Can you cite case or law? The only thing that is clear is what they have provided in the prospectus which says clearly that there are not responsible for reimbursement. They may face legal action in a breach to their system but they disclaim any kind of reimbursement for it.

Surely their reputation would go down the drain and I would guess that it would end their business (being that most people would yank money out of custodians that are losing it to cyber issues) but that doesn't mean I'll see a reimbursement check when it happens to me.

The call centers surely were confused by my question but the emails that were escalated to another team at some of the funds indicated to me that they are not able to conceive of a breach and thus have no real plan to for it. For instance, one fund company sent me an email saying they needed more time (at least a week) to formulate an answer!

I also fought this issue with our 401k company and they actually sent me a well-written addendum to our agreement indicating full reimbursement for cyber theft originating within their organization. It's a small step but it is progress.

I just think these companies can't fathom the cyber theft idea or they do get it but they know there is no way to reimburse clients for a large scale loss.
I’ll defer to Mordoch on the legal issue, but that aside, if the breach was caused by a security failure of the fund company, that would be a class action suit easily won by the investors and the fund company knows that. A major fund company would pay to make investors whole because they would eventually have to otherwise and their reputation destroyed.

The PIMCO language was a little different. That didn’t address outright theft of funds or securities. It was more to address that hackers could disrupt their systems such that day to day operations could be interrupted. Perhaps they couldn’t buy or sell securities or maybe even execute customer orders which could have a negative effect fund shareholders but less easy to quantify. Even then they could be liable if they were negligent and could be sued.

Mordoch
Posts: 338
Joined: Sat Mar 10, 2007 11:27 am

Re: Cyber Security (or lack of) for Mutual Funds

Post by Mordoch » Thu Oct 12, 2017 10:13 pm

Cheego wrote:
Thu Oct 12, 2017 6:58 pm
What is "clearly" in this case? Can you cite case or law? The only thing that is clear is what they have provided in the prospectus which says clearly that there are not responsible for reimbursement. They may face legal action in a breach to their system but they disclaim any kind of reimbursement for it.
Unless, I am misunderstanding what you are inherently talking about, the prospectus certainly says nothing remotely of the sort which would be an utterly preposterous legal position to take. (The confusion on your part seems to be that the prospectus is mostly talking about scenarios where the individual with money invested in the mutual fund in some way might have had a role, rather than the source of the breach being entirely internal/ or hackers penetrating the fund where it is spectacularly obvious the fund is liable for the lost money. As noted, the other PIMCO disclaimer is about the impact of a delayed trade due to a hacker or technical issue, not at outright theft of the money. )

Basic civil law principles mean that the mutual fund is clearly liable in such a scenario where the only negligence was on the part of the mutual fund. While the duty of care standards may be a bit lower than for a bank, allowing hackers or some rogue employee to run off with a client's money clearly badly breaches their duty of care standards. (Assuming the hacking breach part did not actually occur specifically on the customer's computer at which point the various standards the mutual funds require for the customer come into play regarding who may be liable, although in practice mutual funds realistically are going to reimburse except in extreme situations.)
https://en.wikipedia.org/wiki/Negligence

As long as the source of the breach can be reasonably established, you are at worse looking at a very straightforward lawsuit against the fund where the plaintiff gets their money back plus legal costs at the end of the process. (In practice the mutual fund would actually need to show sufficient evidence the breach really did occur on your end to ultimately win such a lawsuit.)

For a bit more information, you can note page two of this linked to article, which notes that mutual funds could potentially get in trouble with the SEC even just for raising their expense ratios in order to pay for a theft or serious negligent IT failure.
https://www.perkinscoie.com/images/cont ... r-2014.pdf

(Significantly all the talk of liability in the article for the cyber breach is about whether the person who pays is going to be the service provide for the it services or the mutual fund, with the idea the customer would end up eating the loss never entering the picture.)

Why I could spend allot of time researching all the SEC regulation that do exist, I frankly do not see this point since this is not an area of the law vaguely in dispute. (It may be hard to find an actual lawsuit involving these circumstances since mutual fund companies simply won't have the nerve to argue when they are so blatantly the liable party and the SEC might even force them to do so before it even gets to to a lawsuit although I am not an expert on those details in this last case.)

2015
Posts: 973
Joined: Mon Feb 10, 2014 2:32 pm

Re: Cyber Security (or lack of) for Mutual Funds

Post by 2015 » Fri Oct 13, 2017 6:05 pm

donfairplay wrote:
Wed Oct 11, 2017 8:10 am
You pays your money, you takes your chances.
Agreed. I recommend reading The Science of Fear. Lots of recency bias regarding security as a result of the Equifax breach. We fear the big, high impact, but very low probability events over the high impact, high probability events. To wit, today's headlines stated that a full 4 in 10 adults in the U.S. are obese. Not fat. Obese, with all of the attendant health and life shortening issues that portends. Another series of articles in the LA Times discussed that 40% of all cancers are related to lifestyle (poor diet, lack of exercise, poor overall health). Odds are higher you are more likely to die of a heart attack in the future than suffer a financial loss due to a breach.

Post Reply