Ask most fund directors who is responsible for cybersecurity at their fund and you will get a version of the same answer: the manager handles it, or the administrator does, or there is a service provider whose job that is. All of those answers are partly true. None of them lets the board off the hook.
I have sat on fund and offshore company boards for the better part of two decades, and the pattern I see most often is not negligence. It is a quiet assumption that because the fund itself runs no servers and employs no staff, its cyber risk has been handed off along with everything else. That assumption is where the exposure hides.
The Fund Is the Target, Even When the Manager Is the Door
A Cayman mutual fund or private fund is, in operational terms, a set of contracts. The investment manager runs the strategy. The administrator keeps the books and processes subscriptions and redemptions. A custodian holds the assets. Each of those parties touches investor money and investor data, and each is a potential point of entry for an attacker.
The Cayman Islands Monetary Authority recognised this when it issued its binding Rule and Statement of Guidance on cybersecurity for regulated entities. That Rule reaches investment managers and most other CIMA-regulated entities, places ultimate responsibility for cybersecurity on the governing body, requires a documented framework for identifying and recovering from incidents, and obliges entities to report any material incident within 72 hours.
Here is the part that catches boards off guard. The Rule does not apply directly to the mutual fund or private fund vehicle itself. So a director can technically point out that the fund sits outside its scope and be correct, and still be exposed, because the manager who is in scope is the same party processing the fund’s transactions. When an attacker compromises that manager or that administrator, the fund’s investors feel it. The regulatory perimeter and the risk perimeter are not the same shape.
What I Actually Want to See at the Board Table
Treating cybersecurity as a service-provider problem produces service-provider answers: a SOC 2 report filed away, a checkbox in the annual due diligence pack. That is not oversight. It is paperwork.
A board that takes operational resilience seriously asks sharper questions. Which of our service providers would bring the fund to a halt if they went dark for a week, and what is the recovery plan if they do? When did the administrator last test its incident response, and were we told the result? If a manager suffers a breach, who tells the board, and how fast, given there is a 72-hour regulatory clock running for the entities in scope? Do our key providers carry cyber coverage, and does it actually respond to the scenarios that would hurt us?
None of these require a director to be a security engineer. They require a director to treat resilience as a continuity question, which is squarely a board question. The funds that handle this well run tabletop exercises with their managers and administrators, not just questionnaires. They know what happens on day one of an incident before day one arrives.
Disclosure Is Catching Up
The regulatory direction is clear. When the Cayman Islands updated its fund rules in early 2026, it began requiring offering documents to disclose technology-specific risks, cybersecurity among them, and to explain how those risks are managed. Investors are going to read those disclosures and ask follow-up questions. Boards that have only ever delegated the topic will struggle to answer them.
Operational resilience is becoming a standard part of how serious allocators judge a fund. The board cannot answer for a manager’s firewall configuration, and it should not try to. But it can and must answer for whether the fund has a clear-eyed view of where its operations could break and a credible plan for what happens when they do.
That responsibility was never outsourced. It only felt that way.
Sean Inggs is an independent director at Leeward and a registered professional director under the Cayman Islands Directors Registration and Licensing Act. A qualified attorney with more than 20 years of international legal and governance experience, he serves on the boards of hedge funds, private equity funds, family office structures, and blockchain companies, advising on governance, regulatory alignment, and operational resilience across traditional and digital asset markets. He began his legal career at Fasken Martineau in Johannesburg and has held senior advisory roles across the Cayman Islands, Jersey, and South Africa. For more on Leeward’s director and governance services, visit leeward.ky.
