Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities. Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness. Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA). The program was the third installment of the sponsors’ Investment Management Cybersecurity Seminar Series and was moderated by Mark C. Amorosi, a partner at K&L Gates. The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki. This article, the first in a two-part series, summarizes the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing. The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters. For coverage of the first installment of the series, in which Amorosi, Grossman and Teleki also participated, see “K&L Gates-IAA Panel Provides Comprehensive Overview of Cybersecurity Laws and Threats Applicable to Investment Managers (Part One of Two)
,” Hedge Fund Law Report, Vol. 8, No. 16 (Apr. 23, 2015); and “K&L Gates-IAA Panel Provides Comprehensive Overview of Cybersecurity Risk Mitigation Frameworks and Techniques for Investment Managers (Part Two of Two)
,” Hedge Fund Law Report, Vol. 8, No. 17 (Apr. 30, 2015).