Sean Inggs of Leeward on the Cyber Resilience Gaps Fund Boards Overlook

Cyberattacks on financial firms rarely make headlines because of clever code. They make headlines because of what broke and who was responsible for watching it. For investment funds, that question of responsibility is murkier than most boards assume, and it is a gap that Leeward, the Cayman-based governance and independent director firm, says is overdue for attention.
“Boards tell themselves cybersecurity is handled because the fund doesn’t run any systems of its own,” said Sean Inggs, an independent director at Leeward. “But the fund’s money and the fund’s investor data still move through a manager and an administrator every day. That is the attack surface, and the board owns the oversight of it whether the regulation names the fund directly or not.”
Where the regulation reaches, and where it stops
The Cayman Islands Monetary Authority has had a binding cybersecurity regime in place for several years through its Rule and Statement of Guidance on Cybersecurity for Regulated Entities. The Rule places ultimate responsibility for managing cyber risk on an entity’s governing body, requires a documented framework to identify, monitor and recover from incidents, calls for periodic independent reviews, and obliges in-scope entities to report material incidents to CIMA within 72 hours.
The detail that surprises many directors is one of scope. The Rule applies to investment managers and most other CIMA-regulated entities, but not directly to mutual funds and private funds themselves. According to Leeward, that distinction is exactly why fund boards cannot read it as someone else’s problem.
“The manager that is in scope is the same manager running your subscriptions and redemptions,” Inggs said. “So the risk reaches the fund even when the rule does not. A director who stops reading at ‘the fund is out of scope’ has stopped reading one line too early.”
From questionnaires to genuine oversight
Leeward’s position is that most funds already collect the right documents and ask too little of them. A service provider’s audit report or annual security questionnaire confirms that a process exists. It does not confirm that the fund would survive the week if that provider were knocked offline.
The firm encourages boards to move from paperwork toward operational testing. That means understanding which providers are genuinely critical to the fund’s continuity, knowing the recovery plan if one of them fails, and confirming that incident response has actually been rehearsed rather than merely documented. It also means clarity on the notification chain, so the board learns of a breach quickly enough to matter, particularly given the 72-hour reporting obligation that applies to the entities around the fund.
“Resilience is a continuity question, and continuity is the board’s job,” Inggs said. “You don’t need to audit a firewall. You need to know what happens on the first morning of an incident, and you need to know it before that morning comes.”
Disclosure raises the stakes
The pressure is building from the disclosure side as well. When the Cayman Islands refreshed its fund framework in early 2026, it introduced requirements for offering documents to spell out technology-specific risks, including cybersecurity, and to explain how those risks are mitigated. Investors will read those statements and test them.
Leeward expects operational resilience to become a routine part of institutional due diligence rather than a niche concern. Funds that can show a board genuinely engaged with the question, the firm argues, will have an easier time earning and keeping institutional capital than those treating cyber risk as a technical footnote.
“The funds that get this right are not the ones with the longest policies,” Inggs said. “They are the ones where the board can tell you, in plain language, how the fund keeps running on a bad day.”
Leeward provides independent director and governance services from the Cayman Islands. Sean Inggs is an independent director at Leeward and a registered professional director under the Cayman Islands Directors Registration and Licensing Act, with more than 20 years of international legal and governance experience across hedge funds, private equity, family office structures, and blockchain companies. Learn more at leeward.ky.
Disclaimer. This is a Corporate Press Release. Readers should do their own due diligence before taking any actions related to the promoted company or any of its affiliates or services. Cryptopolitan.com is not responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in the press release.

Cryptopolitan Media
A dedicated desk for curated insights and featured updates from our network of global industry partners.















