Articles Tagged with Cybersecurity

Published on:

Threats go way beyond simple theft of client information — Can you fend off a big heist?

Recently, the government identified hedge funds as a “weak link in the U.S. financial system’s defense against hackers and terrorists.” The messenger was no less than John Carlin, head of the Justice Department’s National Security Division, speaking at this year’s annual SALT hedge fund conference in Las Vegas. Since then, there have been reports that some of the biggest names in asset management and banking were affected by cyber-attacks. It is, in fact, a Who’s Who of asset managers, banks, and brokers.

This February, the SEC’s summary of its cybersecurity sweep has revealed that over three-quarters of the 100 brokers and advisers examined were subject to cyber-attacks, directly or through third-party service providers, even though upward of 80% of broker and adviser firms have implemented cybersecurity policies. The SEC followed up with guidance in April, making it clear that it intends to conduct more exams of advisers. These exams will be “more substantial,” with longer onsite visits and sit-down meetings with senior management.

Yet for all the heartburn caused by these SEC examinations, they seem to be only scratching the surface when it comes to the types of cyber-threats confronting hedge funds.

The SEC notes that it is focusing on protecting “client assets” by reviewing security measures such as password storage and the vetting of third parties. Those kinds of questions and exam goals indicate that the SEC is mostly interested in protecting against the theft of client data and information. But those are by no means the only potentially damaging threats faced by investment advisers nor are they the only ones that can impact investor assets.

As Carlin pointed out in his comments, hedge funds are a particularly desirable target for criminal cartels, foreign governments, and militaries around the world, basically anyone seeking profit, disruption in financial systems, or both. Hedge funds have valuable and vast assets, including their trading strategies and trades, as well as algorithms, in addition to those the SEC is worried about. Hedge funds are also easier to hack than banks, which have recently reinforced their cybersecurity defenses and, unlike most hedge funds, have teams available to handle the threats.

All hedge fund managers and investment advisers should therefore question how effective their cybersecurity controls are in light of the following real threats posed by cyber-criminals:

  • Hacking and stealing your strategy and algorithms. They will use your own and your employees’ handheld and portable devices, social media posts, and blogs, for phishing and otherwise hacking your internal systems. They will use high-frequency trading algorithms to steal your proprietary trade information in order to front-run you or otherwise engage in manipulative trading. They will steal and use your algorithms to replicate your strategy.
  • Blackmailing and extortion. They will hack and encrypt your data, and blackmail you for payment in return for your data. The Department of Justice is reportedly working with several hedge funds on just such cyber-extortion cases, as Carlin remarked.
  • Corrupting your data and crippling your trading process: They will use a form of malware that will intentionally distort or change data, making information unreliable at best or useless at worst. Perhaps even worse, the corruption of proprietary algorithms used to make investment decisions could go unnoticed for some time. In that event, advisers and their clients face losses, regulatory action, and reputational damage following the disclosure – likely mandatory — of such an incident.
  • Wiping your data: Perhaps the most dreaded of all attacks: hackers have repeatedly demonstrated their ability to literally wipe servers clean of data. Victims are left scrambling to reconstruct files either from scattered data backups or even paper records. This process is extremely laborious and time- consuming, and is not guaranteed in any way to completely restore records. In fact, this type of event is virtually guaranteed to put a broker/dealer or investment adviser out of business, as the reputational damage alone will likely be catastrophic.
  • Disrupting your operations: Too many companies take for granted the availability of their information technology systems. And, when those systems fail, managers tend to assume a technical fault that can be resolved quickly. As the cyber-attack on Sony Pictures proved, however, any company can be paralyzed by the deliberate introduction of malware, which also happened in 2013 to a large hedge fund. A well-crafted attack can render a company unable to do business for months at a time. Unfortunately, the tools and skills needed to conduct such an attack against you are readily available across the globe.

The key takeaway is this: just focusing on making sure hackers don’t break into accounts to steal investor information is not enough. There are many other ways hackers can wreak havoc, and the financial industry has to be prepared to respond to that wide variety of scenarios.

Stay tuned for our article on tips to prevent, detect and respond to cyber-attacks.

Ildiko Duckor is a partner and co-head of Pillsbury Winthrop Shaw Pittman LLP’s Investment Funds and Investment Management Practice. She specializes in hedge funds. She can be reached at ildiko.duckor@pillsburylaw.com or 415-983-1035.

Brian Finch (@BrianEFinch) is a partner in Pillsbury Winthrop Shaw Pittman LLP’s Government Law & Strategies Practice. He specializes in cybersecurity. He can be reached at brian.finch@pillsburylaw.com or 202-663-8062.

Published on:

The Division of Investment Management (the “Division”) of the Securities and Exchange Commission issued a cybersecurity guidance identifying cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue. Recognizing the rapidly changing nature of cyber threats and consequently, the necessity for funds and advisers to protect sensitive information including information of fund investors and advisory clients, the Division is suggesting a number of measures that funds and advisers may wish to consider in addressing the issue. To mitigate cybersecurity risk, the Division suggests that funds and advisers: 1) conduct a periodic assessment of their technology system and security controls and processes to identify potential cybersecurity threats and vulnerabilities, 2) create a strategy that is designed to prevent, detect and respond to cybersecurity threats, and 3) implement the strategy through written policies and procedures, training of officers and employees, and investor and client education. In addition, the Division also suggests that funds and advisers may wish to consider reviewing their operations and compliance programs whether they have measures in place that mitigate their exposure to cybersecurity risk, as well as assessing whether protective cybersecurity measures are in place at service providers that they rely on in carrying out their business operations.

A full version of the cybersecurity guidance is available HERE.

Please call an Investment Funds and Investment Management attorney with your inquiries regarding your firm’s cybersecurity risks and compliance procedures that address them.

Published on:

By

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released two publications addressing cybersecurity at advisory and brokerage firms. The first publication, a Risk Alert, relays the findings from the examinations of more than 100 investment advisers and broker-dealers and focuses on how they: (i) establish cybersecurity policies, procedures and oversee the processes; (ii) identify cybersecurity risks; (iii) protect information and networks; (iv) identify and address the risks associated with funds transfer requests, remote access to client information and third-party vendors; and (v) detect activity that is unauthorized.  The SEC’s Office of Investor Education and Advocacy released the second publication which provides tips for investors to better safeguard their online investment accounts. Their recommendations include using a strong password and a two-step verification process.

The SEC’s recent examinations found 93% of examined broker-dealers and 83% of examined investment advisers have adopted cybersecurity policies, though, whereas 89% of the broker-dealers periodically audit compliance with the policies, only 57% of investment advisers conduct periodic cybersecurity compliance audits.  The SEC continues to place high importance on cybersecurity and every broker-dealer and investment adviser should ensure they have adequate written policies and procedures in place and test them periodically.

Published on:

Annual Compliance Obligations—What You Need To Know

As the new year is upon us, there are some important annual compliance obligations Investment Advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and Commodity Pool Operators (“CPOs”) or Commodity Trading Advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

See upcoming deadlines below and in red throughout this document.

The following is a summary of the primary annual or periodic compliance-related obligations that may apply to Investment Advisers, CPOs and CTAs (collectively, “Managers”).  The summary is not intended to be a comprehensive review of an Investment Adviser’s securities, tax, partnership, corporate or other annual requirements, nor an exhaustive list of all of the obligations of an Investment Adviser under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) or applicable state law.  Although many of the obligations set forth below apply only to SEC-registered Investment Advisers, state-registered Investment Advisers may be subject to similar and/or additional obligations depending on the state in which they are registered.  State-registered Investment Advisers should contact us for additional information regarding their specific obligations under state law.

List of annual compliance deadlines:

State registered advisers pay IARD fee November-December (of 2014)
Form 13F (for 12/31/14 quarter-end) February 17, 2015*
Form 13H annual filing February 17, 2015
Schedule 13G annual amendment February 17, 2015
Registered CTA Form PR (for December 31, 2014 year-end) February 17, 2015
TIC Form SLT January 23, 2015 (for December 2014)
TIC Form SHCA March 6, 2015
TIC B Forms Monthly report (December 2014) – by January 15, 2014Quarterly report (December 31, 2014) – by January 20, 2014
Affirm CPO exemption March 2, 2015
Registered Large CPO Form CPO-PQR December 31 quarter-end report March 2, 2015
Registered CPOs filing Form PF in lieu of Form CPO-PQR December 31 quarter-end report March 31, 2015
Registered Mid-Size and Small CPO Form CPO-PQR year-end report March 31, 2015
SEC registered advisers and ERAs pay IARD fee Before submission of Form ADV annual amendment by March 31, 2015
Annual ADV update March 31, 2015
Delivery of Brochure April 30, 2015
Delivery of audited financial statements (for December 31, 2014 year-end) April 30, 2015
California Finance Lender License annual report (for December 31, 2014 year- end) March 15, 2015
Form PF filers pay IARD fee Before submission of Form PF
Form PF for large liquidity fund advisers (for December 31, 2014 quarter end) January 15, 2015
Form PF for large hedge fund advisers (for December 31, 2014 quarter end) March 2, 2015
Form PF  for smaller private fund advisers and large private equity fund advisers (for December 31, 2014 fiscal year-end) April 30, 2015
FBAR Form FinCEN Report 114 (for persons meeting the filing threshold in 2014 and those persons whose filing due date for reporting was previously extended by Notices 2013-1, 2012-2, 2012-1, 2011-2 and 2011-1) June 30, 2015
FATCA information reports filing for 2014 by participating FFIs March 31, 2015
Form D annual amendment One year anniversary from last amendment filing.

* Reflects an extended due date under Exchange Act Rule 0-3.  If the due date of filing falls on a Saturday, Sunday or holiday, a report is considered timely filed if it is filed on the first business day following the due date.

CONTINUE READING…

Published on:

This article was originally published in The Wall Street Journal‘s CIO Journal on September 11, 2014.

Today as companies increasingly realize the value of strong cybersecurity, those CIOs who successfully implement an effective cybersecurity system should be viewed as a critical part of the revenue generation effort. An effective CIO who maintains a robust cyber risk management program will not only help ensure efficient operations, but will also play a role in crossing cybersecurity thresholds established by customers that would otherwise serve as a barrier to entry.

The shift from regarding cybersecurity–and the people responsible for implementing it–as a “tax,” to something that can further the business comes after some hard lessons. The value of intellectual property stolen by cyber espionage is measured today in billions of dollars. Meanwhile, operational disruptions caused by other malicious cyber events have managed to cripple productivity and harm relationships with customers.

READ MORE…

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.

Published on:

The relentless attention being paid to cyber-attacks is driving companies to increase cyber security budgets and purchases. In turn, this has led institutional investors and asset managers to see potentially massive returns associated with companies in the cyber security market. Indeed a number of companies that have gone public have had phenomenal success, and the constantly morphing nature of cyber-attacks means that purchasing trends are not likely to slow down any time soon.

However, it is critical to keep in mind that just as cyber security capabilities can be a very attractive component in evaluating a potential investment; it also could lead to potentially negative consequences. Ignorance of some key legal and policy considerations could lead to an improper assessment of the value/future earnings potential of technology investments. These considerations are true regardless of whether or not the technology or service has a core “security” component.

Below are some key issues to consider when making cyber security investment decisions:

  • Cyber security matters in every investment
    • It is a simple fact that every company faces cyber threats. Multiple studies have  demonstrated that essentially every company has been or is currently subject to cyber-attack and that most if not all have already been successfully penetrated at least once. This leads to a key consideration: every company’s cyber security posture should be considered when making investment decisions. For example, a company selling information technology that is less prone to cyber-attacks should be viewed as a better investment than competitors who pay little to no attention to how their products can be breached.
  • Cybercrime is cheap
    • The cost of conducting cyber-attacks is depressingly cheap: $2/hour to overload and shutdown websites, $30 to test whether malware will penetrate standard anti-virus systems, and $5,000 for an attack using newly designed methods to exploit previously undiscovered flaws. Indeed it is now so cheap to create malware that the majority of malicious programs are only used once – thereby defeating many existing cyber security systems which are designed to recognize existing threats. This all adds up to a cost/benefit analysis that is irresistible for cyber-attackers, and essentially guarantees that the pace and sophistication of attacks will not let up any time soon.
  • Cyber security should be in the company’s DNA
    • Whether a company is offering a service or a technology, a critical factor to consider is its approach to security. Companies that consider security a key functionality that needs to be integrated from the start of the design process are far more likely to go to market with an offering that has higher degree of security. Security as an afterthought is just that – an afterthought. Weaving security into the DNA of a service or technology will be extremely helpful in decreasing security risks. Just remember though that no security program or process is flawless, and no one should expect perfection.
  • Is there a nation-state problem?
    • An R&D or manufacturing connection to countries known for conducting large-scale cyber espionage causes heartburn for companies and governments alike. Too many instances have occurred where buying items from companies owned by or operated in problem nation states have resulted in cyber-attacks. In some cases, Federal agencies are prohibited from buying IT systems from companies with connections to specific governments. Investors and managers need to stay abreast of problem countries, and also examine whether the product or service has a connection to such countries. Failure to do so can lead to investments in companies that have limited market potential.
  • Do your homework and forensic analyses
    • There’s nothing like buying a trade secret only to find out it really isn’t a secret. Before investing in any company, conduct due diligence to determine how good the security of the company is and whether IP or trade secret information has been compromised.
  • If the government cares, so should you
    • The Federal government is stepping up its requirements regarding cyber security in procurements. That means that all federal contractors (not just defense contractors) are going to have to increase their internal cyber security programs if they want to win government contracts. Failure to have a good cyber security program could lead to lost contracts, and thus decreased growth. 
  • Words matter
    • Companies have been too lax in negotiating terms that explicitly set forth security expectations for IT products as well as who will be liable should there be a breach/attack. Judicious reviews of terms and conditions can help avoid liability following a cyber-attack. For example, companies should not accept boilerplate language regarding the following of “industry standards” or “best practices” with respect to cyber security. Instead, specific obligations and benchmarks need to be agreed upon before signing any agreement. Further agreements should be drafted to that make clear that security measures are the obligation of the other party. That way the investor has set up a stronger argument for recovering losses as well as shifting liability away from itself.
  • Insurance isn’t everything
    • Companies may be tempted to think that if a company has a cyber-insurance policy, they are protected in the event of a cyber-attack. The reality is that there is an enormous chasm between buying coverage and having claims paid. Cyber policies are increasingly being written and interpreted to cover fewer types of attacks, and so do not be tempted to think that cyber insurance can fully protect an investment.
  • SAFETY Act
    • Under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act), cyber security services, policies, and technology providers are all eligible to receive either a damages cap or immunity from liability claims. The SAFETY Act also protects cyber security buyers, as they cannot be sued for using SAFETY Act approved items. Possessing SAFETY Act protections should be considered a positive sign and indicative of potential earnings growth.

There is no doubt about it; cyber risks are here to stay. Addressing those risks should be a core component of any business or investment strategy, because even if “today’s problem” is solved the introduction of new technologies will just mean a new threat vector for adversaries to exploit.

It is not all doom and gloom, however. Paying attention to cyber security trends and doing some simple due diligence will go far in minimizing digital risks. Make no mistake: defenses will always be incomplete and successful attacks will happen. However, with the right processes and approach, the bad outcomes can be minimized and investments will be protected.

Published on:

By

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) previously announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness.  In connection with that statement of examination priority, OCIE recently issued a Risk Alert to provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.

As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following:

  • the entity’s cybersecurity governance,
  • identification and assessment of cybersecurity risks,
  • protection of networks and information,
  • risks associated with remote customer access and funds transfer requests,
  • risks associated with vendors and other third parties,
  • detection of unauthorized activity, and
  • experiences with certain cybersecurity threats.

OCIE has provided a sample form of request for information and documents that investment advisers and broker dealers can expect to receive prior to this type of examination.

Although the SEC has stated that they believe the sample document request (see Appendix) should help to empower compliance professionals with questions and tools they can use to assess their firms’ level of preparedness, registrants should also expect the SEC to use the sample document as a basis for finding deficiencies, to the extent the guidance is not followed.