|
|
Attacks on fund managers, investment advisers and other fiduciaries ("Fund Managers") are increasing in frequency, sophistication and severity. And both the regulators and the investor community have been paying close attention. To responsibly manage Cybersecurity risk, Fund Managers need to, at minimum:
As it stands today, Cybersecurity law consists of a crazy quilt of federal, state and international laws and statutes, which are further complicated by additional industry-specific rules and best practices, together creating a body of jurisprudence that is disjointed and convoluted. Similarly, since early 2014, we've seen regulatory initiatives demonstrating that Cybersecurity is squarely in the crosshairs of investment management regulatory bodies, including the SEC. Examples include the SEC's recent "Cybersecurity Sweeps," its triaging Cybersecurity as a top regulatory priority for the last four years running and its recent enforcement actions activities, which have induced at least one seven-figure settlement.
And yet the elements of constructing a model Cybersecurity Program remains unclear, leaving Fund Managers struggling to understand their legal, compliance and fiduciary obligations.
"Clearly, ‘Cybersecurity Preparedness' is viewed by the regulators as both a core control and a minimum standard, yet one which they refuse to define," says John Araneo, managing director, Align Cybersecurity, and general counsel of Align. "The guidance provided to date has been largely principals-based, failing to provide a clear construct on precisely how to design an unimpeachable Cybersecurity Program. Unfortunately, in the absence of any bright line rules or black letter law espousing the required elements of a sound Cybersecurity Program, Fund Managers have been left scratching their heads on how to comply."