By Bob Krawczyk, Managing Director, Mackinac Partners
Over the past several months the Securities and Exchange Commission (“SEC”) has increased its focus and communication related to cybersecurity. On May 8 2015, Mary Jo White, SEC Chairman, stated in a speech that cyberattacks represent the “biggest systemic risk” to the United States. Further, the SEC has issued several communications discussing findings and guidelines as it relates to registered investment advisers (“advisers”) and cybersecurity.
CyberSecurity Examination Sweep Summary
In February 2015, the Office of Compliance Inspections and Examinations (“OCIE”) issued the findings of their cybersecurity examination sweep in which they examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the “legal, regulatory, and compliance issues” associated with cybersecurity. Some of the highlights of the examination are as follows:
While the OCIE did not conclude on the results of their study, they did state that they will “continue to focus on cybersecurity using risk-based examinations”.
Division of Investment Management Guidance Update
In April 2015, the SEC’s Division of Investment Management (“IM”) issued its cybersecurity guidance for advisers which highlights “the importance of the issue and discusses a number of measures that funds and advisers may wish to consider when addressing cybersecurity risks”. The measures suggested in the IM guidance includes:
The guidance further states that the advisers should identify their obligation to comply with federal securities laws when developing and implementing their cybersecurity control strategies.
It is important to note that both publications stop short from issuing SEC mandated controls and processes. However, they are very clear that cybersecurity controls and how the controls comply with federal security laws will continue to be a major focus.
Mackinac Partners’ Business Intelligence Division has the expertise to help private equity firms navigate through the changing tides of SEC regulation. Our Cyber Security and Digital Forensic Services group has developed solutions tailored specifically for private equity firms to create and implement robust data security frameworks and controls. In addition, the Mackinac Incident Response Service (click here) has assisted private equity firms that have been victims of cyberattacks minimize the cost, damage and disruption.
1. Ackerman, Andrew. “Cyberattacks Represent Top Risk, SEC Chief Says” (May 2015) Wall Street Journal. www.wsj.com
2. Office of Compliance Inspections and Examinations. “Cybersecurity Examination Sweep Summary” (February 2015) https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
3. Division of Investment Management. “Cybersecurity Guidance” (April 2015)http://www.sec.gov/investment/im-guidance-2015-02.pdf