With the Securities and Exchange Commission taking a closer look at asset managers’ cybersecurity practices, top executives increasingly need to realize the safety of their data is an issue of strategic importance, according to industry lawyers and cyber specialists.
The SEC’s Office of Compliance Inspections and Examinations recently began asking investment advisers for more details about their cybersecurity programs. The update to OCIE’s typical examinations request comes as part of a third wave of SEC cybersecurity sweeps. As OCIE announced in December and discussed at an Investment Company Institute conference in March, the SEC’s latest initiative targets fund firms with multiple branch offices, including shops that have recently undergone mergers and acquisitions.
The time for high-level management discussions about the cybersecurity implications of M&A should be long before compliance teams are left fielding questions from regulators, lawyers and cyber pros say. “Often times cybersecurity is an afterthought,” observes Mark Nicholson, who leads the financial-services cybersecurity practice at Deloitte. “Organizations try to bring the companies together without fully appreciating that they could be exposing each other to their weakest links.”
Numerous fund firms contacted for this article declined to comment. Nicholson says he’s not surprised. “Any organization that is going to claim that it does cybersecurity well is inviting attack,” Nicholson explains, citing notorious examples of companies announcing their cybersecurity was up to scratch only to attract hackers attempting to prove them wrong.
Steven Chabinsky, chair of the global data, privacy and cybersecurity practice at the law firm White & Case, says he has seen a progression in top executives’ awareness of cyber issues, with senior leaders and board members recognizing in the last couple of years that they do have a role in cybersecurity risk management. He likens that role to the delegation of duties at a government level between the executive and legislative branch.
“The chief information security officer and the information technology folks are the executive branch,” Chabinsky says. “They should be executing on the risk decisions of the legislative branch of executive management, but it’s still up to executive management to say, ‘This is what’s important to us,’ combined with legal, regulatory, and contractual requirements.”
Cybersecurity due diligence in M&A has become a buzzed-about topic not only in the fund industry, of course, but also in the broader business world. “Firms should do an audit—and, if required, an intense one—of cybersecurity for acquired firms,” says Chirantan Chatterjee, a visiting fellow at Stanford University and co-author of a recent Harvard Business Review piece titled “Don’t Acquire a Company Until You Evaluate Its Data Security.”
Daniel Sokol, a University of Florida law professor and fellow co-author of the HBR piece, adds that naturally the best practices for cybersecurity in an M&A deal will vary based on the details of the transaction and its risk profile. “Ideally the SEC would create some sort of guidance of what proper compliance would entail in terms of specific operations and organizational structure issues,” Sokol suggests. “No cybersecurity system is perfect, but the importance is to create state-of-the-art art mechanisms to reduce the risk.”
According to a recent alert by ACA Aponix, documents the SEC has requested from investment advisers include privacy policies provided to clients, reports on cybersecurity reviews and details about any actions taken as a result of internal violations of cybersecurity policies and procedures. SEC examiners also asked about firms’ practices for remote access and their policies on third-party vendors, as well for a list of terminated vendors.
Before an investment adviser does an M&A deal with another investment adviser, the level of due diligence will need to satisfy an array of interested parties, notes Paulita Pike, an investment management partner at Ropes & Gray. That includes the acquiring firm itself and potentially its parent organization, perhaps with its own board and shareholders, as well as the underlying mutual fund boards.
As with any other aspect of operations when an asset manager acquires another fund group, the due diligence process for cybersecurity would typically extend to the fund group’s third-party vendors. “You want to try to satisfy yourself as best you can that the acquisition does not lead to some type of vulnerability that you didn’t catch some of in the due diligence process.” Pike says. “And that could be a vulnerability that exists at the acquired asset management firm, or it could be a vulnerability that exists at a vendor that’s servicing the third-party manager or its funds.
“It’s sort of an octopus that has tentacles really. But this is one that you need to focus on.”
Those tentacles have a “footprint,” which firms need to ensure they understand as part of their due diligence—“whether it be a technology footprint, third-party footprint, data footprint,” says Deloitte’s Nicholson, “What types of data does that organization have? Where is it? Who controls it? Are there protective controls in place? Or could it be exposed? These are all very important considerations, especially as it relates to regulatory requirements. Many organizations don’t always have a full appreciation of where their critical data exists in their own environment, let alone in a newly acquired company.”
When assessing the cybersecurity of two firms that have already undergone a merger, Nicholson says, he’d want to know who the third-party vendors are, what type of data is present—in which regulatory jurisdictions—and what technologies the firm is using to store that data. And he’d ask similar questions of the acquired firm: “Are there cloud providers that the acquiree maintains? What type of reviews have been done to make sure that those relationships have been provisioned in a secure manner? Have there been any outside assessments applied to that target?”
Spencer Mindlin, an Aite Group analyst focused on capital markets technology, says the trend is going to be toward more use of third-party vendors for cybersecurity and other functions, not less. As fund firms outsource crucial functions, he notes, they’ll run into a tension between the choice of relying on a single integrated provider, which has all services in one place but might not offer the “best of breed,” and trying to find the top providers for each individual service. “Every time you look for a best of breed approach, it means you’re introducing another element of vendor risk, which also increases your cybersecurity risk,” Mindlin says.
On the plus side, Mindlin adds, finding “best of breed” cybersecurity vendors is probably easier and less expensive than it was even five or 10 years ago, thanks to the rise of open platforms. “You can take it off the shelf and still build your technology and focus on whatever your core competency is, but not have to give up best practices in cybersecurity,” he says. Using a smaller vendor for cybersecurity isn’t necessarily a disadvantage, either, he adds, both because a smaller firm might be “more nimble” and because of the cybersecurity-risk diversification of only giving each particular vendor the specific information it needs.
That said, White & Case’s Chabinksy points out that using a secure vendor is no guarantee that the fund firm itself is secure. “It is similar, if you will, to taking a Band-Aid out,” he says. “The Band-Aid says that it’s sanitary, you open it up to put on your wound, but if you didn’t clean your wound first, well, that’s it. You’re not sanitary by putting the Band-Aid on it. You can view these mature vendors as the sanitary Band-Aid—you’re not going to get dirty from them. But if you start out dirty, it’s not going to get you clean.”
Zooming out a bit, cybersecurity is an SEC priority for good reason, says Jeff Keil, principal at Keil Fiduciary Strategies. “I applaud the focus on cyber since its bad treatment or ignoring problems can give the entire business a black eye,” Keil says. “The downside is the costliness of a comprehensive program. Small shops may skimp.”
He says perhaps the most important question he suggests fund board directors ask the adviser is whether they should have, or have, employed an outside cybersecurity firm to benchmark the advisor’s level of preparedness and defenses: “It puts the adviser in a position to gauge its systems and defenses in relation to the state of cybersecurity right now and likely highlights some holes in the current approach, as applicable.”
New risks continue to emerge in the cybersecurity space. “There’s a little game of whack-a-mole,” says Ropes & Gray’s Pike. “you solve for one issue, but you’re never done.” That’s true even with individual fund groups, she says, “depending on each fund groups’ idiosyncrasies, what is changing in that fund group, what vendors are changing.” A fund group that switches from an internal transfer agent to a third-party TA may find itself facing a new set of cybersecurity risks. Concerns around such issues are picking up momentum, with a panel scheduled for May 2 at the ICI’s General Membership Meeting titled Fighting the Borg Collective: What a Relentless Cybersecurity Threat Means for the Enterprise, which Fund Intelligence will be covering.
The broader cybersecurity landscape keeps evolving as well. “Ransomware continues to be an area of concern,” Deloitte’s Nicholson says. “I also think that understanding where data is and how it’s accessed is critically important. Many times it’s not about the new, incredibly sophisticated ‘zero day’ attack that has been developed at great cost. A vast majority of the time it’s basic housekeeping that opens the door and lets people in.”