A global technology outage linked to the cybersecurity firm CrowdStrike crashed Microsoft apps and triggered major disruptions across the asset management sector, along with other global industries.
Private fund managers affected by this outage should assess whether they have any regulatory notification obligations. For example:
- Section 5.G of Form PF requires large ($1.5 billion AUM) hedge fund managers to file a report following any significant disruption or degradation of operations necessary for (i) investment, trading, valuation, reporting and risk management functions; or (ii) the operation of a reporting fund in accordance with federal securities laws and regulations. Note that events at a service provider are expressly in scope. That report must be filed "as soon as practicable, but no later than 72 hours" after the occurrence of the event (and note that there is no tolling for weekends or holidays).
- The National Futures Association requires its members to notify NFA of a cybersecurity incident (i) that results in any loss of customer or counterparty funds or the Member's own capital; or (ii) that requires the Member to notify customers or counterparties under state or federal law.
Fund managers should also consider whether affiliate registrations with other regulators and SROs (including non-US entities) require a notification. Side letter and similar obligations may also require notifications.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.