Cybersecurity Risks and Implications for Investment Advisers
The following article is part of our Hedge Fund Insiders Article Series and was contributed by Haynes and Boone, LLP. Read more articles from the Series HERE.
Cybersecurity risks pose an increasingly significant threat to investment advisers. In early 2015, the Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations (“OCIE”) identified its annual adviser examination priorities which reflect certain practices perceived to present heightened risk to investors and/or the integrity of US capital markets, one of which was cybersecurity compliance and controls. In April 2015, the SEC’s division of investment management (the “Division”) issued guidance (the “Guidance”)  reinforcing cybersecurity as a priority for advisers and suggesting that advisers implement cybersecurity risk assessment plans, response strategies, and written policies and procedures. Included below are measures advisers should consider (some of which are directly from the Guidance) when addressing cybersecurity risks relating to their operations:
Risk Assessment. Advisers should conduct assessments of: (1) the nature, sensitivity and location of information that it collects, processes and/or stores and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the adviser’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should its information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk.
Response Strategy. Advisers should create and test a strategy that is designed to prevent, detect and respond to cybersecurity threats, including: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation and system hardening; (2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan (as discussed below). In addition, advisers should also consider arranging periodic external “intrusion detection” or “penetration testing” to ensure their cybersecurity defenses are adequate.
Policies and Procedures; Training. Advisers should implement a cybersecurity strategy through written policies and procedures and training that provides guidance to the adviser’s officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats and to monitor compliance with cybersecurity policies and procedures. The compliance program of an adviser could address cybersecurity risk as it relates to identity theft, data protection, fraud, business continuity, as well as other disruptions in service. It is important not only to have policies and procedures in place, but to periodically confirm that these policies and procedures are being implemented. Advisers should consider educating clients about how to reduce exposure to cybersecurity threats to their accounts.
Incident Response Plan. When implementing an incident response plan, advisers should consider:
Designating a coordinator and team that is available at all times for incident response (e.g., an adviser’s general counsel, CIO/IT head, or compliance consultant).
Determining the scope of the incident or breach (including determining what was lost, analyzing how confident the adviser’s team is of the existing system’s integrity, determining whether compromised data was encrypted, and interviewing employees and vendors about their responses and their system security, respectively).
Preparing a post-incident report and analysis detailing the event and the adviser’s response, and considering any applicable revisions to the adviser’s policies and procedures in light of the breach and response.
Taking immediate measures to prevent compromises and unauthorized access (including requiring periodic password changes and restricting use of the system by non-essential vendors and contractors).
Determining the adviser’s obligations under federal, state, local and/or international law (e.g., if there has been a breach, determining (in conjunction with counsel) if any governmental agency should be notified or if Form ADV needs to be updated).
Considering whether the adviser’s insurance company has to be notified.
Vendor Management. Advisers should consider performing due diligence on their third-party vendors to confirm whether they have sufficient cybersecurity protective measures in place. Advisers may also consider outsourcing certain cybersecurity risk and protection functions to third-party providers.
Insurance. Advisers should consider whether they should purchase cybersecurity-specific insurance to mitigate any potential losses and/or response costs in the event of a cybersecurity breach.
While it is critical to implement appropriate cybersecurity protocols in order to comply with applicable federal and state law, it is equally important from a franchise risk perspective as the costs associated with potential losses and responses to a breach can be devastating and significant. As it is not possible to anticipate and prevent every breach, advisers should implement the appropriate safeguards and response plans to lessen the impact of potential attacks on itself and its clients and/or investors.
 US Securities and Exchange Commission, Division of Investment Management, IM Guidance Update (April 2015), No. 2015-02.
About the Author
Shelley Rosensweig is a partner in the Investment Funds and Private Equity Practice Group in the New York office of Haynes and Boone, LLP. She structures and organizes domestic and offshore private investment funds. She advises clients regarding matters which include design, structure and operation of investment portfolios, distribution and marketing issues and commodities and futures issues. Shelley also assists clients with seed investments, the formation of managed account platforms and the organization of joint ventures. She advises investment advisory clients regarding investment products and services, SEC, FINRA and CFTC regulatory and compliance matters, as well as trading issues and employment matters.