Articles Tagged with Social Media

Published on:

The relentless attention being paid to cyber-attacks is driving companies to increase cyber security budgets and purchases. In turn, this has led institutional investors and asset managers to see potentially massive returns associated with companies in the cyber security market. Indeed a number of companies that have gone public have had phenomenal success, and the constantly morphing nature of cyber-attacks means that purchasing trends are not likely to slow down any time soon.

However, it is critical to keep in mind that just as cyber security capabilities can be a very attractive component in evaluating a potential investment; it also could lead to potentially negative consequences. Ignorance of some key legal and policy considerations could lead to an improper assessment of the value/future earnings potential of technology investments. These considerations are true regardless of whether or not the technology or service has a core “security” component.

Below are some key issues to consider when making cyber security investment decisions:

  • Cyber security matters in every investment
    • It is a simple fact that every company faces cyber threats. Multiple studies have  demonstrated that essentially every company has been or is currently subject to cyber-attack and that most if not all have already been successfully penetrated at least once. This leads to a key consideration: every company’s cyber security posture should be considered when making investment decisions. For example, a company selling information technology that is less prone to cyber-attacks should be viewed as a better investment than competitors who pay little to no attention to how their products can be breached.
  • Cybercrime is cheap
    • The cost of conducting cyber-attacks is depressingly cheap: $2/hour to overload and shutdown websites, $30 to test whether malware will penetrate standard anti-virus systems, and $5,000 for an attack using newly designed methods to exploit previously undiscovered flaws. Indeed it is now so cheap to create malware that the majority of malicious programs are only used once – thereby defeating many existing cyber security systems which are designed to recognize existing threats. This all adds up to a cost/benefit analysis that is irresistible for cyber-attackers, and essentially guarantees that the pace and sophistication of attacks will not let up any time soon.
  • Cyber security should be in the company’s DNA
    • Whether a company is offering a service or a technology, a critical factor to consider is its approach to security. Companies that consider security a key functionality that needs to be integrated from the start of the design process are far more likely to go to market with an offering that has higher degree of security. Security as an afterthought is just that – an afterthought. Weaving security into the DNA of a service or technology will be extremely helpful in decreasing security risks. Just remember though that no security program or process is flawless, and no one should expect perfection.
  • Is there a nation-state problem?
    • An R&D or manufacturing connection to countries known for conducting large-scale cyber espionage causes heartburn for companies and governments alike. Too many instances have occurred where buying items from companies owned by or operated in problem nation states have resulted in cyber-attacks. In some cases, Federal agencies are prohibited from buying IT systems from companies with connections to specific governments. Investors and managers need to stay abreast of problem countries, and also examine whether the product or service has a connection to such countries. Failure to do so can lead to investments in companies that have limited market potential.
  • Do your homework and forensic analyses
    • There’s nothing like buying a trade secret only to find out it really isn’t a secret. Before investing in any company, conduct due diligence to determine how good the security of the company is and whether IP or trade secret information has been compromised.
  • If the government cares, so should you
    • The Federal government is stepping up its requirements regarding cyber security in procurements. That means that all federal contractors (not just defense contractors) are going to have to increase their internal cyber security programs if they want to win government contracts. Failure to have a good cyber security program could lead to lost contracts, and thus decreased growth. 
  • Words matter
    • Companies have been too lax in negotiating terms that explicitly set forth security expectations for IT products as well as who will be liable should there be a breach/attack. Judicious reviews of terms and conditions can help avoid liability following a cyber-attack. For example, companies should not accept boilerplate language regarding the following of “industry standards” or “best practices” with respect to cyber security. Instead, specific obligations and benchmarks need to be agreed upon before signing any agreement. Further agreements should be drafted to that make clear that security measures are the obligation of the other party. That way the investor has set up a stronger argument for recovering losses as well as shifting liability away from itself.
  • Insurance isn’t everything
    • Companies may be tempted to think that if a company has a cyber-insurance policy, they are protected in the event of a cyber-attack. The reality is that there is an enormous chasm between buying coverage and having claims paid. Cyber policies are increasingly being written and interpreted to cover fewer types of attacks, and so do not be tempted to think that cyber insurance can fully protect an investment.
  • SAFETY Act
    • Under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act), cyber security services, policies, and technology providers are all eligible to receive either a damages cap or immunity from liability claims. The SAFETY Act also protects cyber security buyers, as they cannot be sued for using SAFETY Act approved items. Possessing SAFETY Act protections should be considered a positive sign and indicative of potential earnings growth.

There is no doubt about it; cyber risks are here to stay. Addressing those risks should be a core component of any business or investment strategy, because even if “today’s problem” is solved the introduction of new technologies will just mean a new threat vector for adversaries to exploit.

It is not all doom and gloom, however. Paying attention to cyber security trends and doing some simple due diligence will go far in minimizing digital risks. Make no mistake: defenses will always be incomplete and successful attacks will happen. However, with the right processes and approach, the bad outcomes can be minimized and investments will be protected.

Published on:

By

Written by:  Jessica M. Brown

The Securities and Exchange Commission charged a registered investment adviser and its principal for making false claims over social media regarding their inflated performance claims with respect to a mutual fund managed by the adviser. Through a Twitter account and a widely circulated newsletter, Mark A. Grimaldi and Navigator Money Management (NMM), made various false statements in order to solicit more business. Grimaldi will pay a $100,000 penalty and, along with NMM, agree to be censured, obtain an independent compliance consultant and cease and desist from committing future violations.

A full text of the SEC press release is available HERE and the SEC order is available HERE.

Published on:

Written by Jay Gould, Ildiko Duckor and Peter Chess

On January 4, 2012, the Securities and Exchange Commission (SEC) released a National Examination Risk Alert addressing investment adviser use of social media.  Investment advisers should have policies regarding the use of social media, and the SEC outlined specific factors that need to be addressed by these policies.  The SEC’s guidance could be particularly important given the “crowdfunding” legislation Congress is currently considering.

The January 4, 2012 National Examination Risk Alert (January Alert) states that investment advisers’ use of social media must comply with various provisions of the federal securities laws, including the antifraud provisions, the compliance provisions, and the recordkeeping provisions.  The January Alert stresses that particular attention with regard to the use of social media must be paid to third party content (if permitted) and the recordkeeping responsibilities. 

The January Alert provides staff observations of factors that an investment adviser may want to consider when evaluating a compliance policy for the use of social media.  These include, but are not limited to:

  • Usage Guidelines.  Investment advisers may provide guidance in their policies on the appropriate and inappropriate use of social media;
  • Monitoring.  Investment advisers may consider how to effectively monitor their social media sites or any use of third-party sites;
  • Content Standards.  May include clear guidelines and the prohibition of specific content or other content restrictions; and
  • Information Security.  Investment advisers may consider any information security risks posed by access to social media sites.  These could include dangers from hacking and other breaches of information security. 

Additionally, investment advisers that allow for third-party posting on their social media sites should consider having policies and procedures in place to address this.  Reasonable safeguards should be in place to avoid any violation of the federal securities laws.  Potential violations could result from the appearance of testimonials on a firm’s social media.  For example, the SEC staff believes that the use of social plug-ins such as the “like” button could be considered a testimonial under the Investment Advisers Act of 1940.

Finally, the January Alert notes that investment advisers should consider reviewing their document retention policies so that the retaining of any required records generated by social media use complies with the federal securities laws.  This review could include addressing factors such as: determining what types of social media use create a required record; maintaining applicable communications in electronic or paper format; creating training programs to educate advisory personnel about recordkeeping; and, using third parties in order to keep proper records.

The Financial Industry Regulatory Authority (FINRA) has echoed the January Alert in recent releases, such as Regulatory Notice 11-39 from August 2011.  This Notice provided guidance on social media websites for broker-dealers, and addressed recordkeeping and third-party sites, among other topics.  This Notice supplemented an earlier FINRA notice from January 2010 that provided guidance with regard to blogs and social networking websites. 

The SEC has also recently increased its focus on internet-related enforcement actions.  On January 4, 2012, the SEC charged an Illinois-based adviser with perpetrating a social media scam.  The alleged scam involved offering fictitious securities that were promoted by using LinkedIn.  This follows multiple enforcement actions from February 2011 for internet-related schemes, including boiler rooms and spam-email touted pump and dumps.

Crowdfunding

Crowdfunding is a method of capital formation where groups of people pool money, typically by use of very small individual contributions, in order to support the organizers that seek to accomplish a specific goal.

Congress has also been active in the realm of internet-related securities issues with its involvement in crowdfunding.  The House of Representative passed the Entrepreneur Access to Capital Act (H.R. 2930) on November 3, 2011.  H.R. 2930 provides for registration exemptions for certain crowdfunded securities if the aggregate amount raised through the issuance is $1 million or less each year and each individual who invests in the securities does not invest, in any year, more than the lesser of $10,000 or 10 percent of the investor’s annual income.  Businesses could raise up to $2 million each year under the exemption if investors were provided with certain financial information.

The Senate currently is considering its own version of a crowdfunding bill, the Democratizing Access to Capital Act of 2011 (S. 1791).  S. 1791 provides for registration exemptions for certain crowdfunded securities if the aggregate amount raised through the issuance is $1 million or less each year and each individual who invests in the security does not invest more than $1,000.  The Senate Committee on Banking, Housing and Urban Affairs held hearings on December 1 and 14, 2011, regarding this legislation, but a vote on the bill has not yet occurred.

Reaction to the crowdfunding legislation has been mixed.  Supporters, such as Tim Johnson, the Chairman of the Senate Committee on Banking, Housing and Urban Affairs, feel that the legislation will provide easier access to capital for smaller businesses and startups, which will grow business and create new jobs.  Detractors, such as Professor John C. Coffee, Jr., in his testimony before the Committee, argue that S. 1791 could well be titled “The Boiler Room Legalization Act of 2011.”

The crowdfunding legislation and its developments promise to bring more scrutiny to the interplay of the federal securities laws and the internet.  Investment advisers, and other financial firms, should examine and ensure related policies and procedures are up to par.