Mackinac Partners

News & Insights

Insights: Private Equity, Cybersecurity, and New SEC Guidance Updates

June 2, 2015

By Bob Krawczyk, Managing Director, Mackinac Partners

Over the past several months the Securities and Exchange Commission (“SEC”) has increased its focus and communication related to cybersecurity.  On May 8 2015, Mary Jo White, SEC Chairman, stated in a speech that cyberattacks represent the “biggest systemic risk” to the United States[1].  Further, the SEC has issued several communications discussing findings and guidelines as it relates to registered investment advisers (“advisers”) and cybersecurity.

CyberSecurity Examination Sweep Summary

In February 2015, the Office of Compliance Inspections and Examinations (“OCIE”) issued the findings of their cybersecurity examination sweep in which they examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the “legal, regulatory, and compliance issues” associated with cybersecurity[2].    Some of the highlights of the examination are as follows:

  • 74% of advisers stated that they have been the target of a cyber-related incident either directly or through one of their vendors.  In addition, only 32% of advisers require cybersecurity assessments of the vendors that have access to their firm’s networks.
  • While 83% of the advisers had written security policies, only 57% conduct periodic audits to determine whether they are in compliance with their policies and procedures.
  • Only 21% of advisers maintain insurance that covers losses and expenses attributed to cybersecurity incidents.

While the OCIE did not conclude on the results of their study, they did state that they will “continue to focus on cybersecurity using risk-based examinations”.

 

Division of Investment Management Guidance Update

In April 2015, the SEC’s Division of Investment Management (“IM”) issued its cybersecurity guidance for advisers which highlights “the importance of the issue and discusses a number of measures that funds and advisers may wish to consider when addressing cybersecurity risks”[3].  The measures suggested in the IM guidance includes:

  • Advisers should conduct periodic assessments of the information that the adviser collects and the technology that collects, processes, and stores this data.  The periodic assessment should include identifying cybersecurity threats and vulnerabilities, security controls that are currently in place, the impact of a possible cybersecurity breach, and the effectiveness of the governance system for managing cybersecurity risk.
  • Advisers should develop a control strategy that is designed to prevent, detect and respond to cybersecurity threats.  The strategy should include access controls to systems and data, encryption of data, deploying measures to protect against the loss of exfiltration of sensitive data, controls over data backup and retrieval processes, and the development of an incident response plan.
  • Implement the control strategy through written procedures and formal employee training.

The guidance further states that the advisers should identify their obligation to comply with federal securities laws when developing and implementing their cybersecurity control strategies.

It is important to note that both publications stop short from issuing SEC mandated controls and processes.  However, they are very clear that cybersecurity controls and how the controls comply with federal security laws will continue to be a major focus.

Mackinac Partners’ Business Intelligence Division has the expertise to help private equity firms navigate through the changing tides of SEC regulation.  Our Cyber Security and Digital Forensic Services group has developed solutions tailored specifically for private equity firms to create and implement robust data security frameworks and controls.  In addition, the Mackinac Incident Response Service (click here) has assisted private equity firms that have been victims of cyberattacks minimize the cost, damage and disruption.

 

For more information on our cybersecurity services contact Bob Krawczyk at bkrawczyk@mackinacpartners.com or visit our websites at www.mackinacpartners.com.

_____________________________________

1. Ackerman, Andrew. “Cyberattacks Represent Top Risk, SEC Chief Says” (May 2015) Wall Street Journal.  www.wsj.com

 

2. Office of Compliance Inspections and Examinations. “Cybersecurity Examination Sweep Summary” (February 2015)  https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

 

3. Division of Investment Management. “Cybersecurity Guidance”  (April 2015)http://www.sec.gov/investment/im-guidance-2015-02.pdf