Cybersecurity has become an unlikely top-line priority for managers of pooled investment vehicles (“Fund Managers”) and broker dealers (“Broker Dealers and, together with Fund Managers “Investment Firms”). As a result, Investment Firms are under relatively sudden and intense pressure to implement meaningful and effective Cybersecurity controls within their organization. Several factors demonstrate that Cybersecurity is squarely in the crosshairs of the Securities and Exchange Commission (the “Commission”). Examples include: (i) the recent “Cybersecurity Sweeps” conducted by the Commission: (ii) its triaging Cybersecurity as a top regulatory priority for the last four (4) years running; and (iii) recent Commission enforcement actions that have induced at least one seven-figure settlement, censure and have even led to criminal proceedings. Clearly, “Cybersecurity Preparedness” is viewed by the regulators as both a core control and a minimum standard.
Efforts to achieve an unimpeachable Cybersecurity Program are being conducted more and more by a large majority of Investment Firms yet, it’s not something that such firms will freely and candidly discuss among peer groups and/or open industry dialogues. There are several reasons for this phenomenon. First, the path to building a compliant Cybersecurity Program flows through every cross section of each Investment Firm’s enterprise – IT, HR, Compliance, Investor Relations, Legal, Accounting and even Operations and achieving this end requires those undertaking it to have a myriad of skill sets and both an understanding and appreciation for each of these otherwise unrelated functions. Not many individuals want to jump into such a varied and largely unfamiliar exercise, much less talk about it openly with peers and colleagues. Second, the law, regulation and rules pertinent to Cybersecurity in the investment management space are not exactly black-letter law or bright-line rules and its simply unclear as to what the required elements are for a given Investment Firm’s Cybersecurity Program. Third, there is a misperception among Investment Firms (and especially with Fund Managers) that it’s better not to take a deep-dive into either designing a new Cybersecurity Program or, alternatively, having it tested and assessed, due to a fear of finding deficiencies. This is a dangerous misperception based largely on fear that seems irrational when one considers the Commission’s directives that: (a) it expects Investment Firms will suffer breaches and cyber-attacks and any such event, in of itself, will not lead to a regulatory action, fine or penalty, (b) it is more interested in how such firms can demonstrate they are prepared for such breaches and ready to respond to and remediate such breaches, and (c) most importantly, periodic testing and assessments are, in of themselves, required by the regulators; better to self-discover any deficiencies and cure them voluntarily, then have the Commission make these findings and take action because of a failure to identify and remediate them.
And thus, the road for Investment Firms to develop a truly unimpeachable Cybersecurity Program is an unfamiliar one. However, an initial Cybersecurity Assessment is not only a gentle initial step but also a process that the regulators expect.