Articles Tagged with Cybersecurity

Published on:

By

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released two publications addressing cybersecurity at advisory and brokerage firms. The first publication, a Risk Alert, relays the findings from the examinations of more than 100 investment advisers and broker-dealers and focuses on how they: (i) establish cybersecurity policies, procedures and oversee the processes; (ii) identify cybersecurity risks; (iii) protect information and networks; (iv) identify and address the risks associated with funds transfer requests, remote access to client information and third-party vendors; and (v) detect activity that is unauthorized.  The SEC’s Office of Investor Education and Advocacy released the second publication which provides tips for investors to better safeguard their online investment accounts. Their recommendations include using a strong password and a two-step verification process.

The SEC’s recent examinations found 93% of examined broker-dealers and 83% of examined investment advisers have adopted cybersecurity policies, though, whereas 89% of the broker-dealers periodically audit compliance with the policies, only 57% of investment advisers conduct periodic cybersecurity compliance audits.  The SEC continues to place high importance on cybersecurity and every broker-dealer and investment adviser should ensure they have adequate written policies and procedures in place and test them periodically.

Published on:

Annual Compliance Obligations—What You Need To Know

As the new year is upon us, there are some important annual compliance obligations Investment Advisers either registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Adviser”) and Commodity Pool Operators (“CPOs”) or Commodity Trading Advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) should be aware of.

See upcoming deadlines below and in red throughout this document.

The following is a summary of the primary annual or periodic compliance-related obligations that may apply to Investment Advisers, CPOs and CTAs (collectively, “Managers”).  The summary is not intended to be a comprehensive review of an Investment Adviser’s securities, tax, partnership, corporate or other annual requirements, nor an exhaustive list of all of the obligations of an Investment Adviser under the Investment Advisers Act of 1940, as amended (the “Advisers Act”) or applicable state law.  Although many of the obligations set forth below apply only to SEC-registered Investment Advisers, state-registered Investment Advisers may be subject to similar and/or additional obligations depending on the state in which they are registered.  State-registered Investment Advisers should contact us for additional information regarding their specific obligations under state law.

List of annual compliance deadlines:

State registered advisers pay IARD fee November-December (of 2014)
Form 13F (for 12/31/14 quarter-end) February 17, 2015*
Form 13H annual filing February 17, 2015
Schedule 13G annual amendment February 17, 2015
Registered CTA Form PR (for December 31, 2014 year-end) February 17, 2015
TIC Form SLT January 23, 2015 (for December 2014)
TIC Form SHCA March 6, 2015
TIC B Forms Monthly report (December 2014) – by January 15, 2014Quarterly report (December 31, 2014) – by January 20, 2014
Affirm CPO exemption March 2, 2015
Registered Large CPO Form CPO-PQR December 31 quarter-end report March 2, 2015
Registered CPOs filing Form PF in lieu of Form CPO-PQR December 31 quarter-end report March 31, 2015
Registered Mid-Size and Small CPO Form CPO-PQR year-end report March 31, 2015
SEC registered advisers and ERAs pay IARD fee Before submission of Form ADV annual amendment by March 31, 2015
Annual ADV update March 31, 2015
Delivery of Brochure April 30, 2015
Delivery of audited financial statements (for December 31, 2014 year-end) April 30, 2015
California Finance Lender License annual report (for December 31, 2014 year- end) March 15, 2015
Form PF filers pay IARD fee Before submission of Form PF
Form PF for large liquidity fund advisers (for December 31, 2014 quarter end) January 15, 2015
Form PF for large hedge fund advisers (for December 31, 2014 quarter end) March 2, 2015
Form PF  for smaller private fund advisers and large private equity fund advisers (for December 31, 2014 fiscal year-end) April 30, 2015
FBAR Form FinCEN Report 114 (for persons meeting the filing threshold in 2014 and those persons whose filing due date for reporting was previously extended by Notices 2013-1, 2012-2, 2012-1, 2011-2 and 2011-1) June 30, 2015
FATCA information reports filing for 2014 by participating FFIs March 31, 2015
Form D annual amendment One year anniversary from last amendment filing.

* Reflects an extended due date under Exchange Act Rule 0-3.  If the due date of filing falls on a Saturday, Sunday or holiday, a report is considered timely filed if it is filed on the first business day following the due date.

CONTINUE READING…

Published on:

This article was originally published in The Wall Street Journal‘s CIO Journal on September 11, 2014.

Today as companies increasingly realize the value of strong cybersecurity, those CIOs who successfully implement an effective cybersecurity system should be viewed as a critical part of the revenue generation effort. An effective CIO who maintains a robust cyber risk management program will not only help ensure efficient operations, but will also play a role in crossing cybersecurity thresholds established by customers that would otherwise serve as a barrier to entry.

The shift from regarding cybersecurity–and the people responsible for implementing it–as a “tax,” to something that can further the business comes after some hard lessons. The value of intellectual property stolen by cyber espionage is measured today in billions of dollars. Meanwhile, operational disruptions caused by other malicious cyber events have managed to cripple productivity and harm relationships with customers.

READ MORE…

Read this article and additional publications at pillsburylaw.com/publications-and-presentations.

Published on:

The relentless attention being paid to cyber-attacks is driving companies to increase cyber security budgets and purchases. In turn, this has led institutional investors and asset managers to see potentially massive returns associated with companies in the cyber security market. Indeed a number of companies that have gone public have had phenomenal success, and the constantly morphing nature of cyber-attacks means that purchasing trends are not likely to slow down any time soon.

However, it is critical to keep in mind that just as cyber security capabilities can be a very attractive component in evaluating a potential investment; it also could lead to potentially negative consequences. Ignorance of some key legal and policy considerations could lead to an improper assessment of the value/future earnings potential of technology investments. These considerations are true regardless of whether or not the technology or service has a core “security” component.

Below are some key issues to consider when making cyber security investment decisions:

  • Cyber security matters in every investment
    • It is a simple fact that every company faces cyber threats. Multiple studies have  demonstrated that essentially every company has been or is currently subject to cyber-attack and that most if not all have already been successfully penetrated at least once. This leads to a key consideration: every company’s cyber security posture should be considered when making investment decisions. For example, a company selling information technology that is less prone to cyber-attacks should be viewed as a better investment than competitors who pay little to no attention to how their products can be breached.
  • Cybercrime is cheap
    • The cost of conducting cyber-attacks is depressingly cheap: $2/hour to overload and shutdown websites, $30 to test whether malware will penetrate standard anti-virus systems, and $5,000 for an attack using newly designed methods to exploit previously undiscovered flaws. Indeed it is now so cheap to create malware that the majority of malicious programs are only used once – thereby defeating many existing cyber security systems which are designed to recognize existing threats. This all adds up to a cost/benefit analysis that is irresistible for cyber-attackers, and essentially guarantees that the pace and sophistication of attacks will not let up any time soon.
  • Cyber security should be in the company’s DNA
    • Whether a company is offering a service or a technology, a critical factor to consider is its approach to security. Companies that consider security a key functionality that needs to be integrated from the start of the design process are far more likely to go to market with an offering that has higher degree of security. Security as an afterthought is just that – an afterthought. Weaving security into the DNA of a service or technology will be extremely helpful in decreasing security risks. Just remember though that no security program or process is flawless, and no one should expect perfection.
  • Is there a nation-state problem?
    • An R&D or manufacturing connection to countries known for conducting large-scale cyber espionage causes heartburn for companies and governments alike. Too many instances have occurred where buying items from companies owned by or operated in problem nation states have resulted in cyber-attacks. In some cases, Federal agencies are prohibited from buying IT systems from companies with connections to specific governments. Investors and managers need to stay abreast of problem countries, and also examine whether the product or service has a connection to such countries. Failure to do so can lead to investments in companies that have limited market potential.
  • Do your homework and forensic analyses
    • There’s nothing like buying a trade secret only to find out it really isn’t a secret. Before investing in any company, conduct due diligence to determine how good the security of the company is and whether IP or trade secret information has been compromised.
  • If the government cares, so should you
    • The Federal government is stepping up its requirements regarding cyber security in procurements. That means that all federal contractors (not just defense contractors) are going to have to increase their internal cyber security programs if they want to win government contracts. Failure to have a good cyber security program could lead to lost contracts, and thus decreased growth. 
  • Words matter
    • Companies have been too lax in negotiating terms that explicitly set forth security expectations for IT products as well as who will be liable should there be a breach/attack. Judicious reviews of terms and conditions can help avoid liability following a cyber-attack. For example, companies should not accept boilerplate language regarding the following of “industry standards” or “best practices” with respect to cyber security. Instead, specific obligations and benchmarks need to be agreed upon before signing any agreement. Further agreements should be drafted to that make clear that security measures are the obligation of the other party. That way the investor has set up a stronger argument for recovering losses as well as shifting liability away from itself.
  • Insurance isn’t everything
    • Companies may be tempted to think that if a company has a cyber-insurance policy, they are protected in the event of a cyber-attack. The reality is that there is an enormous chasm between buying coverage and having claims paid. Cyber policies are increasingly being written and interpreted to cover fewer types of attacks, and so do not be tempted to think that cyber insurance can fully protect an investment.
  • SAFETY Act
    • Under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act), cyber security services, policies, and technology providers are all eligible to receive either a damages cap or immunity from liability claims. The SAFETY Act also protects cyber security buyers, as they cannot be sued for using SAFETY Act approved items. Possessing SAFETY Act protections should be considered a positive sign and indicative of potential earnings growth.

There is no doubt about it; cyber risks are here to stay. Addressing those risks should be a core component of any business or investment strategy, because even if “today’s problem” is solved the introduction of new technologies will just mean a new threat vector for adversaries to exploit.

It is not all doom and gloom, however. Paying attention to cyber security trends and doing some simple due diligence will go far in minimizing digital risks. Make no mistake: defenses will always be incomplete and successful attacks will happen. However, with the right processes and approach, the bad outcomes can be minimized and investments will be protected.

Published on:

By

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) previously announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness.  In connection with that statement of examination priority, OCIE recently issued a Risk Alert to provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.

As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following:

  • the entity’s cybersecurity governance,
  • identification and assessment of cybersecurity risks,
  • protection of networks and information,
  • risks associated with remote customer access and funds transfer requests,
  • risks associated with vendors and other third parties,
  • detection of unauthorized activity, and
  • experiences with certain cybersecurity threats.

OCIE has provided a sample form of request for information and documents that investment advisers and broker dealers can expect to receive prior to this type of examination.

Although the SEC has stated that they believe the sample document request (see Appendix) should help to empower compliance professionals with questions and tools they can use to assess their firms’ level of preparedness, registrants should also expect the SEC to use the sample document as a basis for finding deficiencies, to the extent the guidance is not followed.