Cybersecurity 101 For Fund Managers: Designing a Cybersecurity Program that will Satisfy Regulators, Empower Employees and Encourage Investors
By John T. Araneo, Managing Director, Align Cybersecurity and General Counsel
Cybersecurity has become an unlikely top-line priority for managers of pooled investment vehicles (“Fund Managers”). The Cybersecurity phenomenon has completely upended the risk management paradigm in both the investment management industry and the broader financial services sector, and regulators have been paying close attention. By way of example, in 2016, Mary Jo White, the then-Chair of the Securities and Exchange Commission (the “SEC”) characterized Cybersecurity risk as the biggest threat facing the global financial system1. This risk is entirely systematic, if not existential.
The recent “Cybersecurity Sweeps” conducted by the SEC is triaging Cybersecurity as a top regulatory priority for the last four (4) years running, as well as its enforcement actions that have induced at least one seven-figure settlement, censure and have even led to criminal proceedings, all demonstrate that Cybersecurity is squarely in the crosshairs of the SEC. Investor expectations have concomitantly mirrored this regulatory focus. Institutional investors have become better informed about many of the Cybersecurity risks facing Fund Managers and their operational due diligence materials have evidenced their view of Cybersecurity preparedness as a core control and minimum standard.
As a result, it’s incumbent on every Fund Manager to understand its legal, compliance and fiduciary obligations in connection with Cybersecurity and to design, implement and periodically assess a framework of Cybersecurity policies, procedures and controls (a “Cybersecurity Program”). Unfortunately, in the absence of black-letter law, bright-line rules or even a body of regulations that clearly articulate the necessary elements of a sound Cybersecurity Program, Fund Managers have been left scratching their heads on how to comply.
However, after a closer analysis of the recent flurry of regulatory pronouncements regarding Cybersecurity, as well as both the preexisting law on which they were based and the SEC’s enforcement actions that attempted to apply them, the anatomy of what an unimpeachable Fund Manager’s Cybersecurity Program begins to become apparent.
The Legal and Regulatory Landscape: Background of the Cybersecurity Initiative
Many of our Fund Manager clients have inquired as to exactly when, and precisely how, the regulators asserted jurisdiction over their data networks. Starting in 2014, Cybersecurity emerged as an oft-cited topic by regulators and a clear regulatory movement began to take shape. Prior to the regulators’ “Cybersecurity Initiative,” however, there was a legal and regulatory foundation — albeit scant — already in place.
Existing Law and Regulation
As a general matter, the law has not been able to keep up with the evolution of technology and the dangers posed by malicious parties such as hackers. Federal, state and international laws addressing Cybersecurity are still evolving and therefore remain in flux. In the investment management industry, there is a limited statutory and regulatory foundation regarding Cybersecurity. Specifically, Regulation S-P (the “Safeguards Rule”), is the regulation that most directly implicates Cybersecurity, and generally requires firms to adopt written policies and procedures reasonably designed to protect client information from unauthorized access.
Additionally, the Identity Theft Red Flag Rules provide further legal support for addressing Cybersecurity failings and requires specific covered entities, including certain investment advisers, to develop and implement a written program to “detect, prevent, and mitigate identity theft” in connection with client account information. And although the Investment Advisers Act of 1940 has no express statutory language or direct provision dealing with Cybersecurity, it’s quite conceivable that a Fund Manager’s failure to take reasonable efforts to design and implement a Cybersecurity Program could run afoul of its anti-fraud and fiduciary rules.
Takeaway: Prior to 2014, the limited legal and regulatory requirement had been, quite simply, for Fund Managers to implement policies, practices and controls, reasonably designed to protect client information.
The Regulators’ Cybersecurity Initiative
Building on this legal foundation, various regulators, led by the SEC and including the Financial Regulatory Association, the Commodity Futures Trading Commission and the National Futures Association, all took bites at the Cybersecurity apple. The full body of these materials are beyond the scope of this article, however certain salient points from the SEC’s Risk Alerts and guidance materials are particularly instructive to Fund Managers in understanding and complying with their regulatory compliance obligations surrounding Cybersecurity. These highlights include:
January 30, 2014: The inception of the initiative began with the SEC’s Investment Advisor 2014 Compliance Outreach Program and soon thereafter, on March 26, 2014 the SEC held a Cybersecurity Roundtable.
April 15, 2014: The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert announced its “Cybersecurity Initiative,” more often referred to as the SEC’s “Cybersecurity Sweep”. The SEC emphasized certain focal points for these sweeps and included a sample list of document requests, categorizing and enumerating certain items the SEC may seek in connection with a Cybersecurity Sweep or examination. This list is particularly significant, in that it went beyond the duty to protect client information and, signaled for the first time, that the SEC expects Fund Managers to protect their own proprietary information, including information about its trading strategies, employees, investment programs and other intellectual assets of the firm.
February 3, 2015: OCIE released another Risk Alert summarizing the results of the 2014 Cybersecurity Sweep. Interestingly the summary revealed, among other things, that most advisers had adopted Cybersecurity policies and procedures, but less than half of them followed through with the required periodic assessments, even though a very high majority of the examinees reported suffering cyberattacks. The summary went on to report that fewer than one-quarter of the examined investment advisers had considered Cybersecurity as it relates to third-party vendors and addressed other Cybersecurity trends and considerations for investment advisers, including identifying best practices through information-sharing networks, designating a Chief Information Security Officer, managing vendor relationships and obtaining Cybersecurity insurance.
April 2015: The SEC’s Division of Investment Management issued a Guidance Update suggesting that in implementing a Cybersecurity Program, Fund Managers must consider: (i) conducting periodic assessments of several areas such as its data inventory, its use and storage of such data, threats and controls; (ii) creating a strategy to prevent, detect and respond to these threats (iii) implementing these strategies via policies and procedures that are customized to the scope and nature of each investment adviser and its business.
September 15, 2015: OCIE issued another Risk Alert announcing its Cybersecurity Examination Initiative for 2015. Building on the cumulative materials that preceded it, as well as the results of the Cybersecurity Sweeps in both the current and prior years, this Risk Alert articulated a clear focus not on the existence of a Cybersecurity compliance program but rather the effectiveness of the implementation of such a program and the actual integration of the controls created therein. This Risk Alert also provided much needed clarity on the largely principals-based guidance materials issued up to that point by identifying certain functional categories that should be included in any Cybersecurity compliance program. Such categories include: (i) governance and risk assessment; (ii) access rights and controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response. OCIE also makes clear in this Risk Alert that a breach, in of itself, would not necessarily impart liability by stating that it “recognizes that it is not possible for a fund or adviser to anticipate and prevent every cyber-attack.” Finally, footnote nine (9) of this Risk Alert provides interesting commentary to the effect that any breach caused by insiders, such as fund or advisory personnel, could lead to fraudulent conduct to an investment adviser, in violation of the anti-fraud provision of the Advisers Act.
Takeaway: The SEC: (i) has learned from its sweeps that many Fund Managers have policies but have failed to integrate them or periodically test them; (ii) expects Fund Managers to protect both client information and certain proprietary information; (iii) requires a Fund Manager’s Cybersecurity Policy to encompass governance, access rights, data loss prevention, vendor management, employee training and incident response planning; (iv) has indicated that a successful breach of a Fund Manager’s network will not, in of itself, result in regulatory fines, penalties or other actions; and (v) suggests that any breach caused by insiders, could violate the anti-fraud provision of the Advisers Act.
In Re: R.T. Jones Capital. On September 22, 2015, the SEC’s Enforcement Division announced a settlement with R.T Jones Capital Equities Management, Inc. (“R.T. Jones”) in connection with an enforcement proceeding surrounding R.T. Jones’ failure to establish reasonable Cybersecurity policies and procedures. R.T. Jones failed to conduct periodic risk assessments, employ a firewall to protect the client information, encrypt the client information on the server or establish procedures for responding to a Cybersecurity incident. Significantly, however, the SEC found no evidence that such personally identifiable information (PII) was ever stolen or even affected. Nonetheless, the SEC concluded R.T. Jones had violated the law by failing to adopt policies and procedures reasonably designed to protect against threats to the security of its customer and third-party information, pursuant to Regulation S-P. Ultimately, the SEC censured R.T. Jones, ordered it to cease and desist from further violations and to pay a $75,000 fine.
In Re: Morgan Stanley Smith Barney LLC. On June 8, 2016, the SEC’s Enforcement Division announced charges against Morgan Stanley Smith Barney LLC (“MSSB”) for failing to adopt written policies and procedures reasonably designed to protect customer records and information and, as a result a former MSSB employee was able to access and transfer 730,000 customers to his own personal server, without authorization. Although the SEC noted that MSSB made exemplary response efforts, including self-reporting the incident to the SEC, discovering the breach by way of its own efforts and vigilance, terminating the offending employee and swiftly engaging both an independent consulting firm and a law firm to advise it on how to handle the incident, in the end, MSSB agreed to pay a fine of $1,000,000.
Takeaway: Even in the absence of an actual attack or a security breach where investor information was taken or transferred away, the failure of an investment adviser to design and implement a Cybersecurity Program, is actionable. Moreover, the SEC will pursue Fund Managers of any size or stature and will take action against it if the controls and policies it claims are not actually implemented and integrated throughout the enterprise. Finally, the SEC has also indicated that an effective response to a breach will be commendable.
Putting it All Together – A Fund Manger’s Cybersecurity Program
Extrapolating from this body of law, regulation and case precedents, a framework emerges. Fund Managers are expected to adopt policies and procedures reasonably designed to protect both its clients’ data as well as its own proprietary, valuable information. Fund Managers must also ensure their Cybersecurity Program addresses not just data loss protection, but also must include a governance framework within the firm that addresses access rights and controls, employee training, vendor management and incident response planning. The SEC will also focus on whether the Cybersecurity Program has been fully integrated within the firm and periodically tested and, while it will impute liability to Fund Managers who fail to ensure such controls have in fact been implemented, it will reward effective incident response actions and employ a sliding scale, considering the size, sophistication and resources of each Fund Manager it examines.
Conclusively, Fund Managers who adopt, implement and periodically assess Cybersecurity Programs that include technology, governance and employee education elements can demonstrate to regulators and the investor community they have “cracked the code” on Cybersecurity.
ABOUT THE AUTHOR
John Araneo is Managing Director and General Counsel of Align Cybersecurity. John also remains a practicing attorney with Cole-Frieman & Mallon, LLP, a firm that represents over 600 asset management clients and launches approximately 70 private investment funds annually. Having followed the regulatory initiative on Cybersecurity in the alternative asset management space since its inception, John is an established author, Cybersecurity expert and a well-known thought-leader on the legal, regulatory and governance issues related to Cybersecurity.
1. See Lisa Lambert and Suzanne Barlyn, SEC Says Cyber Security Biggest Risk to Financial System, REUTERS (May 18, 2016) http://www.reuters.com/article/us-finance-summit-sec-idUSKCN0Y82K4.