Today’s post is a follow-up to my colleague Priya Cherian Huskins’ earlier post about whether private equity and venture capital firms need cyber liability insurance. In today’s post she examines the implications of the SEC’s heightened interest in the topic of cyber risk for PE and VC firms. – Lauri
Good cyber governance is good for business. But there’s another reason that private equity and venture capital firms are taking note of their cybersecurity strategies: the Securities and Exchange Commission. The SEC has demonstrated a heightened interest in ensuring that registered investment advisors (and even exempt reporting advisors) are making the protection of sensitive data a priority.
There’s a thematic similarity between the way the SEC is thinking about cyber governance with respect to investment advisors and the way they’ve approached this topic with common stock issuers in the past.
As a reminder, registered investment advisors (RIAs) are required to have written policies and procedures that are reasonably designed to protect customer data, pursuant to Rule 30(a) of Regulation S-P.
But take note: we are also seeing the SEC direct inquiries to firms who are not RIAs. The SEC seems to be going in to have a casual chit-chat, but may actually be gathering information so that they can later have a more formal conversation if needed.
The SEC’s Cybersecurity Assessments and Results
Let’s go back in time for a brief review of how cyber came to be a focus for the SEC when it comes to RIAs.
Back in 2014, the Securities and Exchange Commission and its Office of Compliance Inspections and Examinations (“OCIE”) was very clear about the fact that cyber issues were at the forefront when it came to RIAs. At that time the SEC embarked on its initial analysis of 50 registered broker-dealers and registered investment advisers, focusing on their cybersecurity.
The goal, said OCIE, was to “help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.”
Then in 2015, the SEC issued some gentle guidance on cybersecurity for the sector. The SEC identified a number of areas that funds and advisors could consider vis-à-vis cybersecurity compliance, including:
- Conducting periodic assessments of sensitive information, potential threats, security controls and the probable impact of an attack
- Creating a strategy designed to prevent, detect and respond to cybersecurity threats
- Implementing the strategy through written policies and procedures
In August 2017, OCIE issued a report with findings from its analysis of registered broker-dealers, investment advisers and investment companies pursuant to the cybersecurity initiative announced in September 2015.
This was the second analysis of its type and “involved more validation and testing of procedures and controls surrounding cybersecurity preparedness.”
The analysis focused on 75 firms. While OCIE found that compliance had progressed since 2014, there were still areas for improvement.
From the report, some of the issues documented where firms had more work to do included:
- “Policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague, as they did not articulate procedures for implementing the policies.”
- “Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices …”
- “… Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.”
The OCIE report is extremely useful because it provides an actionable dashboard for firms that are trying to take an early cut at handling their cyber risk assessment. The report included recommendations to create robust cybersecurity strategies, including specifics about the following:
- Maintenance of an inventory of data, information and vendors
- Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities
- Established and enforced controls to access data and systems
- Mandatory employee training
- Engaged senior management
While there are other standards out there for cyber governance, such as the cybersecurity framework from the NIST and ISO guidelines, those may be better suited for firms whose cyber governance is more mature. The OCIE guidelines provide a great starting point for firms taking their first steps to formalize their cyber governance.
How Important Is Compliance?
No VE or PC firm wants to find themselves in the middle of a cyber breach debacle and the costly litigation that can ensue. But how serious is the SEC’s recommendations to be cyber-ready?
To date, the guidance coming from OCIE feels friendly and supportive, but firms should understand that it may be less so next time. In other words, now is the time to get serious about cybersecurity and your firm’s cyber governance.
It’s useful to note the latest report says “nearly all advisers examined maintained cybersecurity-related written policies and procedures addressing the protection of customer/shareholder records and information.” In other words, the SEC noted that not everyone has written policies and procedures.
In 2015, we saw the SEC issue an enforcement action against an investment advisor with inadequate controls. While this action did not involve a venture capital or private equity firm, it is an example of what we might see the SEC do with a poorly prepared RIA.
Recall, too, that we are now seeing a serious investigation from the SEC into Yahoo around disclosures related to a security breach.
To date, we’ve seen nothing to indicate that the SEC will turn these guidelines into something as a basis for enforcement actions. That can change, which makes taking cyber governance seriously all the more important.
It’s also worth asking your insurance broker whether your insurance would respond if the SEC were to bring a cyber-related enforcement action against your firm. A properly negotiated general partner liability (GPL) policy should be able to respond to an enforcement action against a PE/ VC firm (as well as the firm’s general counsel or CFO). Should there be an actual breach or incident you may have other insurance policies that will also respond.