Articles Tagged with Cybersecurity

Published on:

We urge our clients to consult Pillsbury’s comprehensive COVID-19 Resource Center for information regarding Responding to a Global Crisis, Business Interruption, Cybersecurity, Employer Concerns and other general matters related to the COVID-19 pandemic. We also recommend the following specific measures to mitigate risks of business interruption and regulatory noncompliance resulting from the COVID-19 pandemic.

Registered Investment Advisers

Business Continuity Plans (BCPs) and Vendor Management. As part of its fiduciary duty to clients, a registered investment adviser is required to adopt and implement BCPs to reduce risks that could result in business interruption. Accordingly, in anticipation of the potential spread of COVID-19, many investment advisers have activated portions of their business continuity and crisis management plans, including, for example, through teleworking. As part of implementing BCPs, investment advisers should review third-party vendor contracts and outsourcing relationships in order to be prepared for disruptions that may affect them through back doors. Cloud-based services and other technology also should be reviewed and tested in light of increased demand for access arising out of teleworking. Communications with brokers and custodians should be reviewed to minimize the risk of communication and reporting failures that could harm clients.

Filing Extensions for Investment Adviser Regulatory Reporting. The SEC issued emergency orders on March 13, 2020, providing temporary relief to investment advisers and investment companies from certain filing, disclosure delivery and governance requirements (e.g., Form ADV, 13G, CPO-PQR). Each form of relief was conditioned on actual coronavirus-related hardships and requires notice to the SEC’s Division of Investment Management of reliance on such relief and the reasons for reliance. The SEC issued modified conditional orders on March 25, 2020 that provide investment advisers and certain investment funds additional time with respect to meeting certain filing and delivery requirements and holding in-person board meetings, if they are unable to meet the deadlines due to circumstances related to current or potential effects of COVID-19.  The new orders supersede the SEC’s original emergency orders issued on March 13, 2020, and extend the time period covered by the temporary exemptive relief until June 30, 2020.

An adviser’s applicable filing and delivery obligations under the relief must be satisfied no later than 45 days after the original due date for filing or delivery (as was provided in the original exemptive order); however, the new order generally makes the temporary exemptive relief available for filing and delivery obligations that would have been due between March 13, 2020 and June 30, 2020 (unless further extended).

READ MORE . . .

Pillsbury’s Investment Funds and Investment Management team is available to assist with compliance and risk management related to COVID-19.  Please contact your client relationship attorney for additional information regarding your obligations.

Published on:

SEC Risk Alert regarding safety of customer records and cloud vendor diligence.

As part of its cybersecurity sweep, the SEC has examined risks related to the storage of customer records and information by investment advisers on cloud-based storage platforms and issued a Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features.” The sweep focused on vendor due diligence and oversight and registered advisers’ monitoring of data and customer information safety.  Among other information, OCIE sought vendor contracts (including service level agreements); vendor reviews; risks assessments of cloud service providers, including data encryption, data loss prevention, books & records exposure, identity and access management; and policies and procedures and their alignment to technology standards.

The Risk Alert identified as the main compliance issues related to cloud-based storage (i) Misconfigured network storage solutions (inadequately configured security settings to protect against unauthorized access; lack of policies and procedures addressing the security configuration);  (ii) Inadequate oversight of vendor-provided network storage solutions (lack of, or inadequate, policies, procedures, contractual provisions that security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards); and (iii) Insufficient data classification policies and procedures (firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data).

The Risk Alert encourages investment advisers to review their practices, policies, and procedures with respect to the electronic storage of customer information and to consider any necessary improvements, and to actively oversee vendors.  The SEC included helpful recommendations for cyber/cloud risk management, including the implementation of policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.

Please contact your counsel at Pillsbury’s Investment Funds Group if you need help with reviewing and enhancing your cloud storage and related policies.

Published on:

By

In a press release issued by the Securities and Exchange Commission on December 20, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its 2019 Examination Priorities.

This year’s examination priorities, although not exhaustive, are divided into 6 categories:

  1. Compliance and risk at registrants responsible for critical market infrastructure;
  2. Matters of importance to retail investors, including seniors and those saving for retirement;
  3. FINRA and MSRB;
  4. Digital assets;
  5. Cybersecurity; and
  6. Anti-money laundering programs.

Read the OCIE 2019 Examination Priorities in full HERE.

Published on:

By

Covered businesses will need to update policies and procedures for responding to customer inquiries about collection, use, sale and disclosure of customers’ personal information or face stiff enforcement actions.

Takeaways

  • The California Consumer Privacy Act of 2018 provides consumers with broad rights to control use of their personal information by covered businesses.
  • Covered businesses will need to review and revise their existing privacy policies to make the required disclosures and to provide two methods for customers to inquire about use of their personal information.

READ MORE . . .

Read this article and additional Pillsbury publications at Pillsbury Insights.

Published on:

By

This alert contains a summary of the primary annual and periodic compliance-related obligations that may apply to investment advisers registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Advisers”), and commodity pool operators (“CPOs”) and commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) (collectively with Investment Advisers, “Managers”).[1]  Due to the length of this Alert, we have linked the topics to the Table of Contents and other subtitles for easy click-access.

This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) New Developments; (iii) 2018 National Exam Program Examination Priorities; (iv) Continuing Compliance Areas; and (v) Securities and Other Forms Filings.

READ MORE . . .

Read this article and additional Pillsbury publications at Pillsbury Insights.

Published on:

By

The following are some of the important annual compliance obligations investment advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and commodity pool operators (“CPOs”) or commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) 2017 Enforcement Priorities In The Alternative Space; (iii) New Developments; and (iv) Continuing Compliance Areas.

Table of Contents

Page

Table of Annual Compliance Deadlines……………………………………………………………. 3

2017 Enforcement Priorities In The Alternative Space………………………………………. 5

New Developments………………………………………………………………………………………. 7

 

CONTINUE READING…

Published on:

By

The ERISA Advisory Council recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement
demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes, among other actions, the implementation and periodic review of contractual protections in arrangements
with their plans’ TPAs.

This advisory is the second in a series of advisories dedicated to understanding cybersecurity issues.

READ MORE . . .

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.  You can also download a copy of the Client Alert here.

Published on:

At the end of this month, the annual updating amendments for investment advisers’ Form ADV will be due. The following are some of the important annual compliance obligations investment advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and commodity pool operators (“CPOs”) or commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) 2016 Enforcement Priorities In The Alternative Space; (iii) New Developments; and (iv) Continuing Compliance Areas.

See the deadlines below and in red

CONTINUE READING…

 

Published on:

By

Investment managers, particularly high priority cybercrime targets, such as hedge funds and quantitative strategy managers, are encouraged to consider the government-industry information sharing option and liability protection afforded by the new legislation.  For more information, please contact the Investment Fund and Investment Management group.

On Tuesday, October 27, the U.S. Senate approved legislation, strongly supported by business groups, that would facilitate information sharing between government and industry and provide liability protection to companies that participate. The Cybersecurity Information Sharing Act of 2015 (CISA) passed the Senate by a bipartisan vote of 74-21, setting the stage for a House-Senate conference committee that will work to resolve differences between CISA and similar legislation passed by the House in April and to prepare a final bill to be considered by both chambers of Congress for potential enactment into law.

READ MORE…

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.  You can also download a copy of the Client Alert.

Published on:

By

Brian Finch, a partner in Pillsbury’s Public Policy Practice, will be speaking on cybersecurity at a 100WHF event in San Francisco on October 13, 2015.  The event is titled Under Attack: Cyberdefense in the Network Age. Mr. Finch is recognized as a leading legal authority on matters related to cyber security.  He co-authored an article on Cybercrimes affecting hedge funds, posted in our blog.