Despite the worldwide cybersecurity pandemic, we still see and hear the argument that private funds and fund managers should be less concerned about cybersecurity because they don’t hold personally identifiable information or other critical customer information like credit card or customer healthcare information. Certainly each type of information is a “high value” target, especially healthcare information.
The alleged 2014 cyber-attacks on U.S. financial firms, investment banks and consulting firms, called “FIN 4,” has to be considered a game-changer as to which types of organizations are more likely than not to be the subject of cyber-attacks, and which are potentially immune. The answer, simply put, is that if your organization has high value intellectual property or financial or M&A data or diligence, you are a target. Period. Thus it would be hard to argue that private funds or their advisers somehow are entitled to a cybersecurity “free pass.”
Indeed they are not. And more importantly, funds and advisers are likely in the first instance subject to cybersecurity risk management guidelines issued by the SEC’s Office of Compliance and Examinations and the SEC’s Division of Investment Management. In general, these guidelines cover the types of cybersecurity processes, procedures and guidelines that funds and advisers should have, in writing, in order to better assess their cybersecurity posture and protect proprietary customer, limited partner and firm data. This guidance also provides information sought by the SEC in order to assure that the funds and advisers have protections in place to guard against account takeovers, unauthorized access to client accounts, and unauthorized funds transfer requests. Given that many of the high profile attacks of 2014 were conducted by virtue of access to the firm’s network through a third party vendor, the guidance also deals with the assessment of the vendor’s own cybersecurity policies and procedures. Finally, the SEC guidance suggests that both contemporaneous risk assessments and employee training policies and procedures are critical for the firms to maintain a “lean forward” cybersecurity posture.
The employee training and awareness aspects of a firm’s cybersecurity policies are critically important to potentially stopping a cyber attack. As demonstrated, the FIN4 report demonstrates that the most widely used threat vector to commence the FIN4 attacks were “social-engineered spearphishing” emails sent to firm employees or executives. Socially engineered emails are emails constructed using specific information that the hacker in question discovered as to the intended email victim gained from researching his or her background from LinkedIn, Facebook or other social network accounts. This information is then turned into a very enticing email that, by its appearance, begs the victim to “please click on the link.” When he or she does, the email then seeds its attached malware onto the victim’s network to steal valuable firm data. Spearphising attacks are very difficult to catch and stop. Other attacks on financial firms have been constructed based upon social media applications like Facebook and Twitter, as well as around “watering holes” or mal-advertisements, which also will seed malware if the page or advertisement is visited.
One final consideration for registered funds and advisers is that cybersecurity is not just a risk for funds and advisers, but also could be a risk of their portfolio companies and investments. As many firms deal regularly, if not exclusively, in the high tech or online spaces, cyber risk could also come up in different, but equally deadly, forms. Certainly as part of due diligence of any investment or acquisition, a purchaser must assess the cybersecurity risk of the target at the time of purchase. That, indeed, is a larger problem than advertised, considering that many cyberattacks are not discovered until months after an attack. And finally, the cybersecurity risk of the portfolio company’s own business model must thoroughly be investigated. There is likely nothing worse than finding out after an acquisition, that a prized portfolio company was hacked, potentially ruining the fund’s investment.
In future posts, we will delve deeper into the issues that funds and registered advisers will need to think about on a daily basis, including employee training, incident response and remediation, as well as cyber insurance. It was recently said by Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), as to why banks are often tempting targets for criminals and terrorists alike? He stated “…because that’s where the money is.” That is exactly why funds and registered advisers need to be vigilant in monitoring their cybersecurity policies and procedures.