After a series of high-profile data breaches at both financial and nonfinancial companies, regulators are increasingly highlighting the need for funds' ongoing efforts to prevent and respond to hacking events. Amid this added scrutiny, fund managers will be expected to stay informed of their responsibilities and ensure they are in compliance.

The issue of cybersecurity has been in the headlines in 2015 following data breaches involving several nationwide retailers and retail banks. The investment sector has also been affected, including the revelation in August of a large-scale international hacking scheme that used nonpublic information to reap $100 million of illegal profits. President Barack Obama also recently called for renewed cybersecurity efforts in both the public and private sectors to address the "significant" vulnerabilities the country faces from state, nonstate and criminal actors here and abroad. The Securities and Exchange Commission ("SEC"), meanwhile, announced a settlement with a St. Louis-based investment adviser related to charges that it failed to establish the required cybersecurity policies and procedures ahead of a breach that compromised the personal information of approximately 100,000 individuals, including thousands of the firm's clients.

As part of this emphasis on cybersecurity, the SEC's Office of Compliance Inspections and Examinations ("OCIE") released an alert on Sept. 15 outlining its 2015 Cybersecurity Examination Initiative. The alert outlined the areas of focus for the office's second round of cybersecurity examinations, which will include further testing of investment advisers and broker-dealers to assess the implementation of firms' procedures and controls. This may ultimately lead to increased enforcement actions addressing cybersecurity weaknesses. The alert's focus areas include:

  • Governance and Risk Assessment;
  • Access Rights and Controls;
  • Data Loss Prevention;
  • Vendor Management;
  • Training; and
  • Incident Response.

Although large investment advisers may fall victim to the most high-profile cyberattacks, small and emerging companies aren't exempt from ensuring the protection of their investors. SEC Commissioner Luis Aguilar highlighted this responsibility on Sept. 23, when he pointed out that the majority of targeted cyberattacks in 2014 were aimed at small and midsize businesses.

Earlier in 2015, the SEC also published a series of alerts aimed at enhancing protections for both investors and industry members. A Feb. 3 OCIE risk alert provided an examination of the state of preparedness in the industry on matters such as identifying cybersecurity risks; establishing policies, procedures and oversight processes; and addressing risks associated with remote access to client information, funds transfer requests and third-party vendors. Although it provides a mostly high-level overview, the guidance also provides useful information to help private and registered fund managers determine additional measures to ensure their obligations are being met.

Specifically, the OCIE examination found the vast majority of examined broker-dealers (93%) and investment advisers (83%) had adopted written information security policies, and most (93% and 79%, respectively) conduct periodic, firm-wide risk assessments to identify cybersecurity threats, vulnerabilities and potential business consequences. Almost all the broker-dealers (98%) and investment advisers (91%) surveyed utilized some form of encryption technology, while many also provided their clients with information about protecting their sensitive information. Other cybersecurity measures – such as the creation of chief information security officer positions, the use of cybersecurity insurance, and the examination of risk policies relating to vendors and business partners – are also discussed as potential solutions. Funds and advisers should consider the suitability of stand-alone cyber liability insurance and whether enhancements of their existing insurance are available to address potential expenses or damages relating to cybersecurity matters. For example, off-the-rack directors and officers or errors and omissions ("D&O"/"E&O") insurance policies often have exclusions to coverage that can apply in a cyber breach scenario, but experienced counsel can be useful in identifying and negotiating contractual improvements to ensure a policy's maximum effectiveness as a financial mitigant of potential cybersecurity-related losses.

The SEC isn't alone in its increased attention to cybersecurity and compliance with existing and relevant laws, regulations and best practices. The U.S. Third Circuit Court of Appeals unanimously affirmed on Aug. 24 a district court's ruling in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission ("FTC") has the authority to regulate a company's data security practices under Section 5 of the FTC Act, which broadly prohibits "unfair or deceptive acts or practices in or affecting commerce." In a precedent-setting victory for the FTC, the Third Circuit endorsed the FTC as a key cybersecurity regulator, and the ruling will have an impact across all sectors and may reach private fund managers responsible for handling clients' confidential financial information, adding another layer of regulatory scrutiny to their operations.

Ultimately, the fact that regulators such as the SEC and the FTC, with apparent encouragement from the White House, are increasingly active in cybersecurity enforcement and advice demonstrates the added importance they are placing on the issue, and fund managers will be expected to keep pace. While a cyberattack itself could be harmful, with the potential for far-reaching reputational and monetary losses, the damages from an enforcement action could be equally significant.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.