May 2, 2019
May 2, 2019
Five Essential Articles for Private Fund Managers to Combat Cyber Risks
Although the SEC has not formally confirmed the existence of a third cybersecurity examination initiative, Kristin Snyder, Deputy Director of the SEC’s Office of Compliance Inspections and Examinations (OCIE), recently stated at a conference that OCIE would be conducting a new cybersecurity sweep focused on investment management firms involved in mergers and acquisitions. In addition, cybersecurity remains a key 2019 OCIE examination priority area. To prepare fund managers, the Hedge Fund Law Report is highlighting five articles from its historical archives that explore important cybersecurity issues, including the structure of cybersecurity programs; the SEC’s cybersecurity enforcement and examination priorities; social engineering fraud; the laws and threats applicable to investment managers; and cybersecurity risks posed by third parties. Next week (the week starting May 6, 2019), the Hedge Fund Law Report will resume its normal weekly publication.
Read full article …
How Fund Managers Should Structure Their Cybersecurity Programs
Nation-states, organizations, groups and individuals continue to employ increasingly sophisticated methods to target information systems and computer networks. Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are also intensifying their scrutiny of organizations’ cybersecurity programs. As a result, it is becoming more expensive to combat and contain cyber-related attacks. Given that cybersecurity is an enterprise-wide risk, fund managers must, at a minimum, ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This three-part series assists fund managers in developing a robust cybersecurity framework. The first article discusses the risks and costs associated with cybersecurity attacks; the global focus on cybersecurity; relevant findings observed by the Office of Compliance Inspections and Examinations during the examination of SEC registrants; and cybersecurity best practices. The second article analyzes the need for a fund manager to hire a dedicated chief information security officer, reviews information security governance structures and explores the role of the chief compliance officer as a strategic partner. The third article evaluates methods for facilitating communication between cybersecurity stakeholders; outsourcing and co-sourcing of cybersecurity functions; and best practices for employing and overseeing third-party cybersecurity vendors. See our two-part series “Navigating FCA and SEC Cybersecurity Expectations”: Part One (Jan. 7, 2016); and Part Two (Jan. 14, 2016). See also our two-part series on how fund managers can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape” (Dec. 3, 2015); and “A Plan for Building a Cyber-Compliance Program” (Dec. 10, 2015).
Read full article …
SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities
While the SEC has provided some guidance and pursued a limited number of enforcement actions, the state of its cybersecurity enforcement program is still unclear to many fund managers. In 2017, Stephanie Avakian, then-Acting Director and current Co-Director of the SEC Division of Enforcement, and Shamoil Shipchandler, then-SEC Regional Director for the Fort Worth Regional Office, spoke candidly about the agency’s plans and approach. This two-part series summarizes their discussion. The first article covers their views on which enforcement actions serve as the best guidance; how they identify new cases; recent enforcement trends; and their coordination efforts with law enforcement and state regulators. The second article details their insights on the SEC’s cybersecurity examination process and guidance on corporate disclosures. For more on how fund managers can mitigate cyber risk, see “Cyber Insurance Coverage, Pre-Beach Mitigation Efforts and Post-Breach Response Plans Can Reduce Harm to Fund Managers From Cyber Attacks” (Jan. 19, 2017); and “Former Prosecutors Address Trends in Cybersecurity for Alternative Asset Managers, Diligence When Acquiring a Company and Breach Response Considerations” (Oct. 6, 2016).
Read full article …
Beware of False Friends: A Hedge Fund Manager’s Guide to Social Engineering Fraud
Cybercriminals are increasingly relying on social engineering to attack corporate systems. Hedge funds are particularly vulnerable, given that they typically lack extensive in-house cybersecurity expertise; deal with large sums of capital; and have relationships with powerful clients and individuals. Social engineering fraud poses a number of risks to fund managers, including money transfer fraud; theft of passwords or trade secrets; customer-data compromise; revelation of trading positions and plans; and attacks on principals. Fortunately, managers can mitigate these risks by educating and training employees; instituting multi-factor authentication; adopting verification procedures; limiting user access; and monitoring cybersecurity regulations. In addition, managers are increasingly able to rely on insurance to cover social engineering fraud losses. In a guest article, Ron Borys, then-senior managing director in Crystal & Company’s financial institutions group, and Jordan Arnold, executive managing director in K2 Intelligence’s New York and Los Angeles offices and head of the firm’s private client services and strategic risk and security practices, examine the risks of social engineering fraud, how fund managers can prevent it and how insurance policies can be used to protect against related losses. For additional commentary from Borys, see “How E&O and D&O Liability Insurance Can Help Hedge Fund Managers Mitigate the Consequences of Regulatory Enforcement Actions” (Jun. 2, 2016). See also “The Challenges and Benefits of Multi-Factor Authentication in the Financial Sector”: Part One (Nov. 2, 2017); and Part Two (Nov. 9, 2017).
Read full article …
Cybersecurity Laws and Threats Applicable to, and Cybersecurity Risk Mitigation Frameworks and Techniques for, Investment Managers
A strong cybersecurity program is an investment manager’s primary defense against cyber breaches and their resultant costs. As the frequency of large cyber breaches and the costs of responding to them increase, mitigating cybersecurity risks becomes of paramount importance. A 2015 program sponsored by K&L Gates and the Investment Adviser Association (IAA) surveyed the cybersecurity threat environment and SEC cybersecurity initiatives; summarized the applicable laws and regulations that bear on cybersecurity; considered the multitude of cybersecurity risks faced by investment managers; and offered a number of strategies for mitigating those risks. The program was moderated by Mark C. Amorosi, partner at K&L Gates, and featured Jeffrey Bedser, CEO of iThreat Cyber Group; Laura L. Grossman, associate general counsel of the IAA; Andras P. Teleki, then-partner at K&L Gates; and E.J. Yerzak, then-vice president at Ascendant Compliance Management. This two-part series summarizes their insights. The first article outlines the panel’s thoughts on the costs of cyber breaches; applicable laws and regulations; and cyber threats. The second article discusses their views on mitigating cybersecurity risks. For discussions on how fund managers can learn from actual cyber attacks, see “Lessons for Fund Managers From the SEC’s First Identity Theft Red Flags Rule Settlement” (Nov. 15, 2018); “What Fund Managers Can Learn About Cyber-Breach Disclosure From Yahoo’s $35-Million SEC Settlement” (May 10, 2018); and “Steps Hedge Fund Managers Should Take to Defend Against the Rising Threat of Ransomware in the Wake of WannaCry” (Jun. 15, 2017).
Read full article …
How Managers Can Identify and Manage Cybersecurity Risks Posed by Third-Party Service Providers
Weak service provider cybersecurity practices pose material risks to private fund managers. As connectivity grows, managers run the risk that data entrusted to vendors could be compromised, or that the manager’s own system may be breached through one of its vendors. Consequently, it is critical to understand and manage the risks posed by vendors. A 2017 program presented by Advise Technologies (now Compliance Solutions Strategies) discussed ways to assess vendor risk; best practices for managing vendors; uses of due diligence questionnaires; and common errors in vendor management. Advise’s chief regulatory attorney and managing director, Jeanette Turner, moderated the discussion, which featured Jason Elmer, then-managing director at Duff & Phelps, and Aaron K. Tantleff, partner at Foley & Lardner. This article summarizes their insights. For other commentary from Turner, see “A Roadmap of Potential Landmines for Fund Managers to Avoid When Completing the Revised Form ADV” (May 25, 2017). See also “Surveys Show Cyber Risk Remains High for Investment Advisers and Other Financial Services Firms Despite Preventative Measures” (Jul. 20, 2017); and “Study Reveals Weaknesses in Asset Managers’ Third-Party and Vendor Risk Management Programs” (Mar. 9, 2017).
Read full article …
Most-Read Articles
-
Jan. 2, 2025
Five Steps Hedge Fund CCOs Should Take to Start 2025 Off Right -
Jan. 16, 2025
What Hedge Fund Managers May Expect From the SEC in 2025 -
Jan. 30, 2025
SEC Charges Hedge Fund Manager With MNPI Failures Related to Consultant -
Jan. 30, 2025
Key Benefits Offered by Hybrid Funds and Different Liquidity Mechanisms to Unlock Them (Part One of Two) -
Jan. 30, 2025
ACA Compliance Testing Survey: Electronic Communications Displace Marketing As Top Concern