Cyber risk is now a standing governance issue for investment managers and trustees, not merely an IT concern.
Most breaches still begin with human error. Phishing emails, credential compromise and payment redirection scams succeed when something appears routine. Regular, structured cyber training materially reduces that risk. It also demonstrates that the organisation has taken reasonable steps to protect investor information and fund assets.
From a trustee perspective, cybersecurity falls within core oversight obligations. An AFS licensee must maintain adequate risk management systems and controls, including around cybersecurity and data protection. That obligation is not passive. It requires evidence of active monitoring, training, and documented processes.
Cyber insurance completes the framework, but it is not a substitute for governance. Insurers now examine the quality and frequency of cyber training when underwriting risk. Weak training can mean higher premiums, exclusions, or declined cover.
For investment managers and authorised representatives, the message is direct: cyber capability, documented training, and appropriate insurance are interdependent. If one is weak, the governance framework is exposed.
