Although not explicitly required by SEC regulations, hedge fund managers are expected to undertake testing for cybersecurity vulnerabilities and preparedness as part of their overall regulatory compliance responsibilities. See also “ACA Compliance Professionals and SEC Veteran John H. Walsh Share Insights on SEC Priorities for 2015
,” Hedge Fund Law Report, Vol. 8, No. 16 (Apr. 23, 2015). Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA). The program was the third installment of the sponsors’ Investment Management Cybersecurity Seminar Series and was moderated by Mark C. Amorosi, a partner at K&L Gates. The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki. This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters. The first article
summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing. For additional insight from K&L Gates, see “Experts Offer Advice on Initiating and Structuring M&A Transactions in the Asset Management Industry (Part One of Two)
,” Hedge Fund Law Report, Vol. 8, No. 18 (May 7, 2015); and Part Two of Two
, Vol. 8, No. 19 (May 14, 2015).