Cybersecurity Reminder for Private Fund Sponsors

In light of recent high-profile ransomware incursions and other cyberattacks on businesses around the world, we would like to remind private fund sponsors that in the SEC’s view cybersecurity is a key element of an investment adviser’s compliance program. The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently conducted examinations of registered broker-dealers and investment advisers to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness. Among OCIE’s findings were that many firms did not conduct (i) periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities and their potential business consequences and (ii) penetration tests and vulnerability scans on systems that the firms considered to be critical. Furthermore, not all firms had installed available software patches to address security vulnerabilities. In a speech at the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton stated that while the SEC understands the magnitude of the threat posed by bad actors in this arena and the difficulty faced by firms in responding to it, “[b]eing a victim of a cyber penetration is not, in itself, an excuse.” Therefore, it continues to be the case that any private fund sponsor that does not have a fulsome cybersecurity program in place risks adverse findings in an OCIE examination, and potential enforcement action if investors are harmed as a result of a cyberattack.