Two recent events should serve as the latest in a series of reminders that cybersecurity risk management – including breach prevention, monitoring, and response or mitigation measures – should be among the top priorities for all fund managers and investment firms.
The first reminder was at the annual SEC Speaks conference in Washington, D.C., held in late February 2016, where a senior SEC enforcement official said the agency would continue to pursue cybersecurity enforcement actions related to three main themes: (i) the failure to safeguard confidential information, (ii) the theft of nonpublic information for illegal use in market activities and (iii) the failure by a public company to disclose a cybersecurity-related incident.
Significantly, Stephanie Avakian, deputy director of the SEC’s Division of Enforcement, said that companies found to be withholding information about data breaches could face civil and criminal enforcement actions. She added that while the agency would weigh the challenges created by the variety of variables associated with a data breach, the enforcement division will take action where it judges companies violated their duties.
The large majority of the agency’s cases have fallen under the first two categories, and Avakian indicated a “significant disclosure failure” would be required to bring about charges. Nonetheless, she reiterated that firms must be aware of their responsibilities and involve law enforcement agencies like the FBI when it’s appropriate, rather than obscure any breach for fear of an investigation. Avakian’s comments underscored that the SEC isn’t simply scrutinizing a firm’s cybersecurity efforts ahead of a data breach; it will also be closely examining how a firm reacts once an incident has been uncovered.
The second event was the revelation in late March 2016 that the Manhattan U.S. Attorney’s Office and the FBI are investigating hackers who targeted several high-profile law firms – potentially with the intent of stealing confidential information for insider trading. It isn’t known what information, if any, was obtained during the breach, which occurred during the summer of 2015. This news followed several other high-profile data breaches at U.S. banks, retailers and health care organizations, which had prompted the FBI’s cyber division to issue an alert earlier in March that hackers are targeting law firms for purposes of insider trading.
The ongoing regulatory emphasis on cybersecurity should not come as a surprise, as the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced in September 2015 its second round of cybersecurity examinations would include additional testing of investment advisers and broker-dealers to assess the implementation of cybersecurity procedures and controls at their firms – potentially leading to increased enforcement actions in response to any weaknesses revealed. The SEC is also seeking to increase the number of RIA examiners by almost 20%, further evincing the ever-increasing scrutiny fund managers face. SEC Commissioner Luis Aguilar highlighted that the increasing expectations extend beyond the large investment advisers, in part, because the majority of targeted cyberattacks in 2014 were aimed at small and midsize businesses. Small companies and startups aren’t immune from cyberattacks or exempt from the responsibility to take measures to protect their clients.
Additionally, the SEC’s Enforcement Division announced in late April that it is bringing actions against firms that fail to protect client data pursuant to the Regulation S-P privacy rule. Andrew Ceresney, the director of the Enforcement Division, emphasized the SEC’s focus on cybersecurity, noting the number of recent cases brought by the division “relating to Reg S-P and failure to have policies and procedures relating to safeguarding information.” He warned that there would be others. To address the increasing focus on cybersecurity, the SEC is pushing to partner with an outside organization on adviser examinations and to increase use of data analytics to identify high-risk firms.
Separate from federal cybersecurity responsibilities, this is also an area ripe for state attorneys general. Most states have enacted data breach laws which have varying degrees of risk management expectations or best practices. These laws frequently include notice requirements not only to individuals impacted by a breach but also to state attorneys general and/or other state agencies.
Amid the environment of heightened scrutiny that emerged in 2015, fund managers must be aware of the expectation they will both be well-informed of their responsibilities and ensure they are in compliance. If that wasn’t already clear, the events so far in 2016 should act to remind all firms to regularly review the adequacy of their cybersecurity risk management controls and disclosure policies and practices, with an eye toward preventing, responding to and/or mitigating cyberattacks, including alerting clients to actual breaches and, where appropriate, disclosing potential cybersecurity risks.