Articles Tagged with Cybersecurity

Published on:


The following are some of the important annual compliance obligations investment advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and commodity pool operators (“CPOs”) or commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) 2017 Enforcement Priorities In The Alternative Space; (iii) New Developments; and (iv) Continuing Compliance Areas.

Table of Contents


Table of Annual Compliance Deadlines……………………………………………………………. 3

2017 Enforcement Priorities In The Alternative Space………………………………………. 5

New Developments………………………………………………………………………………………. 7



Published on:


The ERISA Advisory Council recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement
demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes, among other actions, the implementation and periodic review of contractual protections in arrangements
with their plans’ TPAs.

This advisory is the second in a series of advisories dedicated to understanding cybersecurity issues.


Read this article and additional publications at  You can also download a copy of the Client Alert here.

Published on:

At the end of this month, the annual updating amendments for investment advisers’ Form ADV will be due. The following are some of the important annual compliance obligations investment advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and commodity pool operators (“CPOs”) or commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) 2016 Enforcement Priorities In The Alternative Space; (iii) New Developments; and (iv) Continuing Compliance Areas.

See the deadlines below and in red



Published on:


Investment managers, particularly high priority cybercrime targets, such as hedge funds and quantitative strategy managers, are encouraged to consider the government-industry information sharing option and liability protection afforded by the new legislation.  For more information, please contact the Investment Fund and Investment Management group.

On Tuesday, October 27, the U.S. Senate approved legislation, strongly supported by business groups, that would facilitate information sharing between government and industry and provide liability protection to companies that participate. The Cybersecurity Information Sharing Act of 2015 (CISA) passed the Senate by a bipartisan vote of 74-21, setting the stage for a House-Senate conference committee that will work to resolve differences between CISA and similar legislation passed by the House in April and to prepare a final bill to be considered by both chambers of Congress for potential enactment into law.


Read this article and additional publications at  You can also download a copy of the Client Alert.

Published on:


Brian Finch, a partner in Pillsbury’s Public Policy Practice, will be speaking on cybersecurity at a 100WHF event in San Francisco on October 13, 2015.  The event is titled Under Attack: Cyberdefense in the Network Age. Mr. Finch is recognized as a leading legal authority on matters related to cyber security.  He co-authored an article on Cybercrimes affecting hedge funds, posted in our blog.

Published on:

Threats go way beyond simple theft of client information — Can you fend off a big heist?

Recently, the government identified hedge funds as a “weak link in the U.S. financial system’s defense against hackers and terrorists.” The messenger was no less than John Carlin, head of the Justice Department’s National Security Division, speaking at this year’s annual SALT hedge fund conference in Las Vegas. Since then, there have been reports that some of the biggest names in asset management and banking were affected by cyber-attacks. It is, in fact, a Who’s Who of asset managers, banks, and brokers.

This February, the SEC’s summary of its cybersecurity sweep has revealed that over three-quarters of the 100 brokers and advisers examined were subject to cyber-attacks, directly or through third-party service providers, even though upward of 80% of broker and adviser firms have implemented cybersecurity policies. The SEC followed up with guidance in April, making it clear that it intends to conduct more exams of advisers. These exams will be “more substantial,” with longer onsite visits and sit-down meetings with senior management.

Yet for all the heartburn caused by these SEC examinations, they seem to be only scratching the surface when it comes to the types of cyber-threats confronting hedge funds.

The SEC notes that it is focusing on protecting “client assets” by reviewing security measures such as password storage and the vetting of third parties. Those kinds of questions and exam goals indicate that the SEC is mostly interested in protecting against the theft of client data and information. But those are by no means the only potentially damaging threats faced by investment advisers nor are they the only ones that can impact investor assets.

As Carlin pointed out in his comments, hedge funds are a particularly desirable target for criminal cartels, foreign governments, and militaries around the world, basically anyone seeking profit, disruption in financial systems, or both. Hedge funds have valuable and vast assets, including their trading strategies and trades, as well as algorithms, in addition to those the SEC is worried about. Hedge funds are also easier to hack than banks, which have recently reinforced their cybersecurity defenses and, unlike most hedge funds, have teams available to handle the threats.

All hedge fund managers and investment advisers should therefore question how effective their cybersecurity controls are in light of the following real threats posed by cyber-criminals:

  • Hacking and stealing your strategy and algorithms. They will use your own and your employees’ handheld and portable devices, social media posts, and blogs, for phishing and otherwise hacking your internal systems. They will use high-frequency trading algorithms to steal your proprietary trade information in order to front-run you or otherwise engage in manipulative trading. They will steal and use your algorithms to replicate your strategy.
  • Blackmailing and extortion. They will hack and encrypt your data, and blackmail you for payment in return for your data. The Department of Justice is reportedly working with several hedge funds on just such cyber-extortion cases, as Carlin remarked.
  • Corrupting your data and crippling your trading process: They will use a form of malware that will intentionally distort or change data, making information unreliable at best or useless at worst. Perhaps even worse, the corruption of proprietary algorithms used to make investment decisions could go unnoticed for some time. In that event, advisers and their clients face losses, regulatory action, and reputational damage following the disclosure – likely mandatory — of such an incident.
  • Wiping your data: Perhaps the most dreaded of all attacks: hackers have repeatedly demonstrated their ability to literally wipe servers clean of data. Victims are left scrambling to reconstruct files either from scattered data backups or even paper records. This process is extremely laborious and time- consuming, and is not guaranteed in any way to completely restore records. In fact, this type of event is virtually guaranteed to put a broker/dealer or investment adviser out of business, as the reputational damage alone will likely be catastrophic.
  • Disrupting your operations: Too many companies take for granted the availability of their information technology systems. And, when those systems fail, managers tend to assume a technical fault that can be resolved quickly. As the cyber-attack on Sony Pictures proved, however, any company can be paralyzed by the deliberate introduction of malware, which also happened in 2013 to a large hedge fund. A well-crafted attack can render a company unable to do business for months at a time. Unfortunately, the tools and skills needed to conduct such an attack against you are readily available across the globe.

The key takeaway is this: just focusing on making sure hackers don’t break into accounts to steal investor information is not enough. There are many other ways hackers can wreak havoc, and the financial industry has to be prepared to respond to that wide variety of scenarios.

Stay tuned for our article on tips to prevent, detect and respond to cyber-attacks.

Ildiko Duckor is a partner and co-head of Pillsbury Winthrop Shaw Pittman LLP’s Investment Funds and Investment Management Practice. She specializes in hedge funds. She can be reached at or 415-983-1035.

Brian Finch (@BrianEFinch) is a partner in Pillsbury Winthrop Shaw Pittman LLP’s Public Policy Practice. He specializes in cybersecurity. He can be reached at or 202-663-8062.

Published on:

The Division of Investment Management (the “Division”) of the Securities and Exchange Commission issued a cybersecurity guidance identifying cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue. Recognizing the rapidly changing nature of cyber threats and consequently, the necessity for funds and advisers to protect sensitive information including information of fund investors and advisory clients, the Division is suggesting a number of measures that funds and advisers may wish to consider in addressing the issue. To mitigate cybersecurity risk, the Division suggests that funds and advisers: 1) conduct a periodic assessment of their technology system and security controls and processes to identify potential cybersecurity threats and vulnerabilities, 2) create a strategy that is designed to prevent, detect and respond to cybersecurity threats, and 3) implement the strategy through written policies and procedures, training of officers and employees, and investor and client education. In addition, the Division also suggests that funds and advisers may wish to consider reviewing their operations and compliance programs whether they have measures in place that mitigate their exposure to cybersecurity risk, as well as assessing whether protective cybersecurity measures are in place at service providers that they rely on in carrying out their business operations.

A full version of the cybersecurity guidance is available HERE.

Please call an Investment Funds and Investment Management attorney with your inquiries regarding your firm’s cybersecurity risks and compliance procedures that address them.

Published on:


On February 3, 2015, the Securities and Exchange Commission (“SEC”) released two publications addressing cybersecurity at advisory and brokerage firms. The first publication, a Risk Alert, relays the findings from the examinations of more than 100 investment advisers and broker-dealers and focuses on how they: (i) establish cybersecurity policies, procedures and oversee the processes; (ii) identify cybersecurity risks; (iii) protect information and networks; (iv) identify and address the risks associated with funds transfer requests, remote access to client information and third-party vendors; and (v) detect activity that is unauthorized.  The SEC’s Office of Investor Education and Advocacy released the second publication which provides tips for investors to better safeguard their online investment accounts. Their recommendations include using a strong password and a two-step verification process.

The SEC’s recent examinations found 93% of examined broker-dealers and 83% of examined investment advisers have adopted cybersecurity policies, though, whereas 89% of the broker-dealers periodically audit compliance with the policies, only 57% of investment advisers conduct periodic cybersecurity compliance audits.  The SEC continues to place high importance on cybersecurity and every broker-dealer and investment adviser should ensure they have adequate written policies and procedures in place and test them periodically.

Published on:

Annual Compliance Obligations—What You Need To Know

As the new year is upon us, there are some important annual compliance obligations Investment Advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and Commodity Pool Operators (“CPOs”) or Commodity Trading Advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

See upcoming deadlines below and in red throughout this document.

The following is a summary of the primary annual or periodic compliance-related obligations that may apply to Investment Advisers, CPOs and CTAs (collectively, “Managers”).  The summary is not intended to be a comprehensive review of an Investment Adviser’s securities, tax, partnership, corporate or other annual requirements, nor an exhaustive list of all of the obligations of an Investment Adviser under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) or applicable state law.  Although many of the obligations set forth below apply only to SEC-registered Investment Advisers, state-registered Investment Advisers may be subject to similar and/or additional obligations depending on the state in which they are registered.  State-registered Investment Advisers should contact us for additional information regarding their specific obligations under state law.

List of annual compliance deadlines:

State registered advisers pay IARD fee November-December (of 2014)
Form 13F (for 12/31/14 quarter-end) February 17, 2015*
Form 13H annual filing February 17, 2015
Schedule 13G annual amendment February 17, 2015
Registered CTA Form PR (for December 31, 2014 year-end) February 17, 2015
TIC Form SLT January 23, 2015 (for December 2014)
TIC Form SHCA March 6, 2015
TIC B Forms Monthly report (December 2014) – by January 15, 2014Quarterly report (December 31, 2014) – by January 20, 2014
Affirm CPO exemption March 2, 2015
Registered Large CPO Form CPO-PQR December 31 quarter-end report March 2, 2015
Registered CPOs filing Form PF in lieu of Form CPO-PQR December 31 quarter-end report March 31, 2015
Registered Mid-Size and Small CPO Form CPO-PQR year-end report March 31, 2015
SEC registered advisers and ERAs pay IARD fee Before submission of Form ADV annual amendment by March 31, 2015
Annual ADV update March 31, 2015
Delivery of Brochure April 30, 2015
Delivery of audited financial statements (for December 31, 2014 year-end) April 30, 2015
California Finance Lender License annual report (for December 31, 2014 year- end) March 15, 2015
Form PF filers pay IARD fee Before submission of Form PF
Form PF for large liquidity fund advisers (for December 31, 2014 quarter end) January 15, 2015
Form PF for large hedge fund advisers (for December 31, 2014 quarter end) March 2, 2015
Form PF  for smaller private fund advisers and large private equity fund advisers (for December 31, 2014 fiscal year-end) April 30, 2015
FBAR Form FinCEN Report 114 (for persons meeting the filing threshold in 2014 and those persons whose filing due date for reporting was previously extended by Notices 2013-1, 2012-2, 2012-1, 2011-2 and 2011-1) June 30, 2015
FATCA information reports filing for 2014 by participating FFIs March 31, 2015
Form D annual amendment One year anniversary from last amendment filing.

* Reflects an extended due date under Exchange Act Rule 0-3.  If the due date of filing falls on a Saturday, Sunday or holiday, a report is considered timely filed if it is filed on the first business day following the due date.


Published on:

This article was originally published in The Wall Street Journal‘s CIO Journal on September 11, 2014.

Today as companies increasingly realize the value of strong cybersecurity, those CIOs who successfully implement an effective cybersecurity system should be viewed as a critical part of the revenue generation effort. An effective CIO who maintains a robust cyber risk management program will not only help ensure efficient operations, but will also play a role in crossing cybersecurity thresholds established by customers that would otherwise serve as a barrier to entry.

The shift from regarding cybersecurity–and the people responsible for implementing it–as a “tax,” to something that can further the business comes after some hard lessons. The value of intellectual property stolen by cyber espionage is measured today in billions of dollars. Meanwhile, operational disruptions caused by other malicious cyber events have managed to cripple productivity and harm relationships with customers.


Read this article and additional publications at