The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Financial Services

  • From Vol. 3 No.8 (Apr. 19, 2017)

    How to Ensure Cyber Risks Do Not Derail an IPO

    In preparation for a public offering, companies should expect scrutiny of their cybersecurity risks and the measures they take to address them, just as they do with other aspects of their business. Cyber risks and incidents can derail an IPO if they are not handled correctly. Gibson Dunn partners Andrew L. Fabens, Stewart L. McDowell and Peter W. Wardle spoke with The Cybersecurity Law Report about steps companies should take in preparing for an IPO, as well as the potential impact cybersecurity can have on the IPO process and stock price. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media 

    The advent of Twitter, Facebook, LinkedIn and other social media forums has had a dramatic impact on society at large, including the investment funds industry. Yet, investment advisers and firms may not fully grasp the compliance and operational risks that new technologies and sites can pose. Questions abound as to whether social media can be used to provide material information to certain investors at the expense of others, when the line is crossed from informational content to marketing a fund and whether the social media accounts of individual employees and representatives need to be monitored for compliance purposes. In-house compliance officers, outside counsel and an SEC branch chief in the Chief Counsel’s Office of the SEC’s Division of Investment Management discussed and offered insights on these issues at a recent Regulatory Compliance Association PracticEdge session. See also “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations

    Cybersecurity regulations from the New York State Department of Financial Services took effect on March 1, 2017. The scope of the regulations, which apply to financial institutions, insurance companies, and other financial services firms licensed by the State of New York, was narrowed to a degree following numerous industry comments on the proposed draft. This guest article by James Kaplan and Moein Khawaja, partner and associate at Quarles & Brady, explains the new requirements and changes from previous versions, and provides guidance regarding the implementation of the regulations and best cybersecurity practices related to the current regulatory environment. They also predict what future regulation might look like in this area. See also “Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation” (Jan. 25, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation

    The New York State Department of Financial Services proposed a cybersecurity regulation that raised many eyebrows when it was first introduced in September 2016. Taking into account the over 150 comments it received, the DFS published an updated version of the regulation at the end of 2016 and delayed the effective date by two months – until March 1, 2017. In this interview, Patterson Belknap Webb & Tyler LLP partner Craig A. Newman offers insight on what the new regulation means to covered institutions and the actions companies will need to take to be in compliance. See also “Steps Financial Institutions Should Take to Meet New York’s Proposed Cybersecurity Regulation” (Sep. 21, 2016).  

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FINRA Emphasizes the Importance of Proper Electronic Record Storage in Enforcement Actions

    Accurate recordkeeping is one of the core duties of broker-dealers and investment advisers. As the number of electronic records has exploded in recent years, so have the risks of hacks or other malicious acts. FINRA recently settled enforcement actions against 12 of its members, imposing a total of $14.4 million in fines, for their failures to store electronic records in “write once, read many” (commonly referred to as “WORM”) format, as well as other violations of SEC recordkeeping rules. In its press release, FINRA emphasized that the deficiencies affected hundreds of millions of records, and the need to maintain records in the WORM format because “the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.” This article explores the violations and key terms of the eight separate FINRA Letters of Acceptance, Waiver and Consent (AWCs). See also “FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer

    A recent FINRA action against Lincoln Financial Securities Corporation, a general securities business, involving the firm’s alleged failure to safeguard customer data, preserve customer records and implement an appropriate supervisory system sheds light on regulatory expectations for a range of sectors. This article explains the alleged misconduct, the terms of the settlement, the remedial measures the firm is implementing, and the cybersecurity measures FINRA expects firms to take. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Steps Financial Institutions Should Take to Meet New York’s Proposed Cybersecurity Regulation

    With the ever-growing threat posed to the financial services industry by nation-states, terrorist organizations and independent criminal actors, earlier this month New York Governor Andrew Cuomo announced a proposed regulation that would require financial institutions to develop and implement cybersecurity programs to prevent and mitigate cyber attacks. After a 45-day comment period, following the upcoming publication in the New York State Register on September 28, the regulation is set to become effective January 1, 2017. “Even though the rules are not final, regulated financial institutions should begin considering how to comply today,” Orrick partner and cybersecurity & data privacy team co-chair Aravind Swaminathan told The Cybersecurity Law Report. In this article, we outline what companies need to do to be compliant with the new proposed regulation. See also “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Procedures for Hedge Fund Managers to Safeguard Trade Secrets From Rogue Employees 

    In an era when high-profile data theft cases have shaken some people’s faith in the security of personal information entrusted to fund managers, it is critically important for firms to take steps to detect, prevent and address such thefts by rogue employees. This is of particular urgency for hedge fund managers now that the SEC has stepped up its focus on cybersecurity. Data security and the measures that can help safeguard trade secrets and sensitive information were the focus of a recent Hedge Fund Association panel discussion featuring participants from the law firm Gibbons, the litigation consulting firm DOAR and the hedge fund Litespeed Partners. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.12 (Jun. 8, 2016)

    How Financial Service Providers Can Use Cyber Insurance to Mitigate Risk

    Cyber threats in the alternative investment industry are growing increasingly larger and more sophisticated, requiring financial service providers to maintain sufficient infrastructure to prevent and respond to any breaches. A key component of that infrastructure is a cyber insurance policy to reimburse the fund manager for costs incurred defending against a cyber attack and loss of data caused by the attack. A recent alternative asset manager forum sponsored by insurance advisory and brokerage firm Crystal & Company offered a look at the current cyber threat landscape, cybersecurity preparedness, breach response and cyber liability insurance from the insurance, legal and forensic perspectives. The panel featured experts from investigation and consultancy firm K2 Intelligence, AIG Property & Casualty’s financial institutions group, AXIS Insurance and Lewis Brisbois Bisgaard & Smith. See also the CSLR’s series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    How Financial Service Providers Can Address Common Cybersecurity Threats

    The National Futures Association’s Interpretive Notice on cybersecurity, which became effective on March 1, 2016, calls for NFA members to adopt an Information Systems Security Program robust enough to guard against increasingly sophisticated cybersecurity threats. Senior NFA personnel and industry experts recently gathered at a workshop to give advice on complying with the Notice and how to strengthen a firm’s ability to prevent, detect and remediate cybersecurity incidents. This article covers the panelists’ discussion of critical cybersecurity threats; cybersecurity response plans; training; and other practical cybersecurity measures. For previous coverage of the NFA workshop, see “Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market” (Mar. 2, 2016). See also CSLR’s two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market Participants

    How will the National Futures Association’s new Interpretive Notice on cybersecurity (effective March 1, 2016) change data and electronic system security requirements for NFA members? The NFA recently held a Cybersecurity Workshop featuring a number of senior NFA personnel and industry experts to discuss the particulars of the Notice and provide insight into what NFA examiners will be looking for when they conduct member examinations. The program, which was moderated by NFA director Amy McCormick, included NFA directors Shuna Awong, Patricia Cushing and Dale Spoljaric, as well as industry participants Patricia Donahue, senior vice president and chief compliance officer at Rosenthal Collins Group LLC; Buddy Doyle, founder and CEO of Oyster Consulting; and Peter Salmon, a senior director at the Investment Company Institute. See also “New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Navigating FCA and SEC Cybersecurity Expectations (Part Two of Two)

    When designing cyber-compliance programs, financial firms operating in multiple jurisdictions must adopt a coordinated approach to cybersecurity that meets the divergent regulatory requirements of all jurisdictions in which they are doing business. This two-part series examines the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, albeit with differing approaches. Part One discussed the FCA and SEC as regulators of financial services in their respective jurisdictions and outlined the guidance issued, and the methods adopted, by the two regulators. This article explores how asset managers and others in the financial sector can navigate the current regulatory environments, including existing guidance, in the U.S. and U.K., and simultaneously satisfy the requirements of each regulator. See also Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015) and “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two) (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge:  A Snapshot of the Regulatory Landscape (Part One of Two)

    The cyber focus has become increasingly intense for the financial services sector.  Industry compliance personnel are challenged to keep up with cybersecurity requirements in this area, with new major regulatory developments occurring on a regular basis.  In a guest article, the first in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, explores the current cybersecurity regulatory expectations applicable to the financial services sector.  The second article will provide a practical blueprint for building a cyber compliance program.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market

    Cybersecurity in the futures and derivatives market is “perhaps the single most important new risk to market integrity and financial stability,” according to Commodity Futures Trading Commission Chairman Timothy Massad.  The National Futures Association (NFA), a self-regulatory organization responsible for the registration of certain market participants, recently received approval from the CFTC of its Interpretive Notice to several existing NFA compliance rules.  The new guidance will provide more specific standards for supervisory procedures and will require NFA members to adopt and enforce written policies and procedures to secure customer data and electronic systems.  “The approach of the Interpretive Notice is to tie cybersecurity best practices to a firm’s supervisory obligations,” Stephen Humenik, a Covington & Burling partner, told The Cybersecurity Law Report.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part Two of Two)

    With threat vectors increasing at least as rapidly as new technology, companies need to be well-versed in how to recognize and prevent cyber attacks.  In the second installment of our coverage of PLI’s recent Cybersecurity 2015: Managing the Risk program, two top-level executives and leaders in cybersecurity, Jenny Menna, U.S. Bank’s cybersecurity partnership executive, and Greg Temm, vice president for information security and cyber intelligence at MasterCard, tackle mitigating cyber risk.  They discuss, among other things: information sharing efforts; eight important components of an information technology ecosystem; and how to prevent cyber attacks at home and in the office.  In the first article in the series, they addressed the current cyber landscape, prevalent threats, and responses to those threats that are being implemented by the government, regulators and private companies.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    What the OCIE Cybersecurity Risk Alert Means for Investment Advisers and Broker-Dealers

    Continuing its emphasis on the cyber-preparedness of broker dealers, the SEC Office of Compliance Inspections and Examinations (OCIE) announced a second round of examinations “to assess implementation of firm procedures and controls.”  On September 15, 2015, OCIE issued a Risk Alert detailing its concerns, as well as sample requests for information in six focus areas: governance and risk assessments, access controls, data security, vendor management, training and incident response.  We analyze the alert and explore the cybersecurity implications for investment advisers and broker-dealers.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 10 (Aug. 12, 2015); Part Two, Vol. 1, No. 11 (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Can an Employee Be Liable for Inadvertently Providing Security Details to a Fraudulent Caller?

    An investment management firm’s CFO allowed a fraudulent caller to obtain security details leading to the illegitimate transfer of nearly $1.16 million from the firm’s accounts and is liable for the damages, a new claim filed in the U.K. High Court of Justice alleges.  The firm says that its CFO acted negligently and in breach of his contractual, tortious and fiduciary duties in failing to protect assets in corporate bank accounts.  The CFO – who believed he was providing security details to a member of the anti-fraud team of the firm’s’ private bank – denies these allegations, asserting that he was acting honestly, in what he reasonably and genuinely believed to be the best interests of his employer.  We examine the claim, the defense, and six issues the case raises relating to cybersecurity and employees.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two of Two, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

    Investment managers use a wide range of third-party vendor-provided products and services to manage their daily operations, and many of those third parties have access to sensitive data.  Ensuring that data is protected from theft, either deliberate or inadvertent, is paramount.  In a guest article, Schulte Roth & Zabel partner Robert Kiesel provides practical vendor management guidance and comprehensive contract provisions, and discusses critical policies and contract terms that investment managers can use to protect their, and their investors’, data.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)

    Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness.  Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA).  The program was moderated by Mark C. Amorosi, a partner at K&L Gates.  The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki.  This article, the first in a two-part series, details the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  See “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Analyzing and Mitigating Cybersecurity Risks to Investment Managers (Part Two of Two)

    The financial services industry, a favorite target of hackers, is especially vulnerable to cybersecurity threats.  A recent program sponsored by K&L Gates and the Investment Adviser Association addressed the difficult and high-stakes cybersecurity issues investment managers are facing.  This article, the second in a two-part series, discusses the panel’s views on mitigating cybersecurity risks.  The first article summarized the key points raised by the panel relating to the costs of cyber breaches; applicable laws and regulations; and cyber threats.  The program was moderated by Mark C. Amorosi, a partner at K&L Gates, and featured a panel consisting of Jeffrey Bedser, CEO of iThreat Cyber Group; Laura L. Grossman, assistant general counsel of the IAA; Andras P. Teleki, a partner at K&L Gates; and E.J. Yerzak, vice president at Ascendant Compliance Management.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)

    Financial services firms are a key target of hackers and responding to the breaches they may cause does not come cheap – the average response cost in the financial services sector is more than double the overall average of $5.84 million, according to data from the Ponemon Institute LLC.  As incidents increase, regulators are paying closer attention and firms are spending more on cyber preparedness.  A recent program sponsored by K&L Gates and the Investment Adviser Association surveyed the current cybersecurity threat environment and SEC cybersecurity initiatives for the financial services sector; summarized the applicable laws and regulations that bear on cybersecurity; considered the multitude of cybersecurity risks faced by investment managers; and offered a number of strategies for mitigating those risks. 

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    The SEC’s Updated Cybersecurity Guidance Urges Program Assessments 

    With its new Investment Management Guidance Update on cybersecurity, the SEC is “now looking at more comprehensive assessment of controls and threats, not just from external sources but also internal sources,” Marc Lotti, a partner at ACA Aponix, told The Cybersecurity Law Report.  “Right now, investors and SEC don’t see [disregarding technology risk] as ignorant, they see it as negligent.”  The Guidance discusses actions that investment advisers and companies should consider to mitigate those risks and enhance their cybersecurity programs.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry

    The financial sector has been an obvious target of hackers for a long time.  Increased scrutiny of firms’ security from regulators, including the SEC, and customers has raised the stakes even further as firms try to stay ahead of risks.  ACA Compliance Group recently presented a program to help those regulated industries navigate the current cybersecurity landscape.  The panelists, Raj Bakhru and Marc Lotti, both partners at ACA Aponix (the cybersecurity and risk arm of ACA Compliance Group), offered insights into what advisers and fund managers may expect from regulators going forward; discussed common misperceptions about cybersecurity; and explored goals of cybersecurity and technology risk programs. 

    Read Full Article …