Programming a Cybersecurity Policy for the Investment Adviser
By Matthew Cohen & Gregg S. Buksbaum
Posted: 15th September 2015 10:47A speaker at a recent broker-dealer compliance seminar quipped that there are two types of people in the world: those who have been victims of cybercrime and those who don’t know yet that they are victims of cybercrime. Last year ended with the high-profile hacking of Sony Pictures surrounding the release of its film “The Interview, but the hack of Sony Pictures was not the only major cybercrime incident to gain media attention in 2014. Contact information for 76 million households and seven million small businesses was stolen from J.P. Morgan Chase in June 2014, but the attack was not noticed until August 2014. As the recent attack on J.P. Morgan Chase demonstrated, the financial services and investment management industries are not immune to cybercrime. Whether from fraudulent redemption orders sent via email or trading computer systems being breached, investment advisers and fund managers alike face the same cybercrime threats as Sony Pictures, J.P. Morgan and other companies. To make sense of the threat, this article discusses the following: recent efforts by United States (“U.S.”) securities regulators to address cybersecurity, common components of a cybersecurity policy using U.S. investment adviser policies as the model for best practice, and the implementation of a cybersecurity policy, including the practicalities and cost of doing so.
Recent U.S. Regulatory Developments
A significant development in the regulation of cybersecurity within the U.S. came on 15 April 2014, when the U.S. Securities and Exchange Commission’s (the “SEC”) Office of Compliance Inspections and Examinations issued a risk alert to announce its initiative to conduct examinations focusing on cybersecurity. OCIE’s exams will target, among others, registered investment advisers and focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorised activity, and experiences with threats. Since the Risk Alert, additional initiatives have been put forth by the Financial Industry Regulatory Authority and the SEC. On 6 January 2015, FINRA issued its examination priorities letter for 2015. In its letter, FINRA highlighted cybersecurity as one of its financial and operational priorities, focusing on firms’ “approaches to cybersecurity risk management, including their governance structures and process for conducting risk assessments and addressing the output of those assessments. FINRA also intends to issue a report in early 2015 that will include principles and effective practices to consider when developing cybersecurity programs. Not to be outdone, the SEC issued its examinations priorities letter for 2015 a week later. The SEC’s letter mentioned its continuing efforts to examine investment advisers’ cybersecurity compliance and controls. With cybersecurity being a focal point in both examination priorities letters, FINRA and the SEC demonstrate their commitment to ensuring safe market practices.
Developing a Cybersecurity Policy
Developing a comprehensive cybersecurity policy should begin with an assessment of the firm’s physical and technological resources, as well as the firm’s weaknesses and susceptibility to threats. The physical components of a cybersecurity policy may include personnel security, such as employee and vendor IDs and background checks on employees and vendors, and physical security measures, such as limited access to information systems, locked offices, escorting visitors, and physically securing computers. Technological components of a cybersecurity policy may include data encryption, password protection procedures, firewalls, limited remote access, data destruction procedures, and regular testing of system vulnerabilities. Every cybersecurity policy should also include policies and procedures regarding incident response and disaster recovery. Although the prevention and detection of cybersecurity threats are two important aspects of a cybersecurity policy, response to and mitigation of attacks are just as critical. Overall, a well-developed cybersecurity policy should be tailored to the firm’s capabilities, resources, and level of risk.
Implementing a Cybersecurity Policy
Concurrent with developing a cybersecurity policy, a firm should know how it will implement such a policy. Experience has shown that the best approach to implementing a cybersecurity policy may be to obtain cooperation and investment by the relevant employees who would be involved in complying with the cybersecurity policy. By having the relevant employees involved and buying into the program, the cybersecurity policy becomes further tailored to the unique aspects of the firm and increases the chances that the policy will be adopted in an orderly manner. This team of employees could also help in establishing a firm-wide training program and creating a clear hierarchy in the supervision of and reporting under such a program. Experience has also demonstrated that a firm’s chief compliance officer tends to be the one with primary cybersecurity oversight in consultation with the head of information technology.
Although a strong cybersecurity policy is necessary, a cybersecurity policy should also not dominate the firm’s resources and budget. One approach may be to limit high-dollar resources or prevention tools to the most critical components of the firm’s information systems, such as encrypting only social security numbers, account numbers, and other confidential client and employee information. Another approach may be to keep the cybersecurity program in-house as much as possible and not delegate to outside vendors unless necessary. Finally, a robust cybersecurity program may still not stop the most malicious of cyber attacks. As such, the firm may consider purchasing a cybersecurity insurance policy. Such a policy should be customised to the firm’s risk level, thoroughness of its cybersecurity program, and budgetary constraints.
Cybersecurity threats grow each day. With regulators in the U.S. increasingly making cybersecurity a priority, the development of cybersecurity policies and procedures is moving from an act of prudence to a requirement. Investment advisers that have not yet paid attention to cybersecurity should assess risk levels and capabilities and implement a cybersecurity program without delay before the costs of cleaning up an attack outweigh the costs of such a program.
Matthew Cohen is an Associate in the Private Investment Funds Group of Squire Patton Boggs (US) LLP and resides in the firm’s Washington, DC office. Matt’s practice focuses on institutional investors in connection with their investments in private equity funds, hedge funds, and other pooled investment vehicles. Mr. Cohen also advises sponsors and managers in connection with the formation, organisation and operation of various types of domestic and offshore investment funds. He regularly provides guidance to clients with respect to SEC and other regulatory compliance matters. When not playing an attorney on TV, Matt enjoys being a new father and travel.
Gregg S. Buksbaum is a partner of Squire Patton Boggs (US) LLP and the Chair of its global Private Investment Funds Group, as well as a member of its Corporate Group, and resides in the firm’s Washington, DC office. Mr. Buksbaum represents domestic and international fund sponsors in the formation of various types of investment funds and the execution of merger and acquisition transactions. He also counsels these clients on securities regulatory and compliance matters. Mr. Buksbaum also represents large institutional investors, including sovereign wealth funds and family offices, that invest in various types of private funds and acquire and sell portfolio company and real estate investments.