The private funds industry is at risk of potentially devastating cyber breaches. Despite being fiduciaries responsible for investing vast amounts of assets, many advisers have only recently developed cybersecurity training, procedures and protocols, and in some cases their defenses remain quite rudimentary, leaving them vulnerable to deceptive practices. In a recent risk alert, the SEC praised recent progress made by firms in the asset management space while identifying a number of critical areas where preparedness still falls short. In particular, the alert cited 12 robust practices that advisers should consider for adoption at their own firms. The presence of persistent gaps in preparedness, and the SEC’s principles-based approach to regulating cybersecurity, make it all the more imperative for advisers to increase their investments in and oversight of internal cybersecurity procedures and preparedness. Doing so will enable advisers to meet their compliance obligations and to shield investors from catastrophic losses of money and personally identifiable information. To help readers understand these issues, this article presents the key points from the risk alert, together with insights from legal practitioners with cybersecurity expertise. For more on the SEC’s approach to cybersecurity, see “OCIE 2017 Examination Priorities Illustrate Continued Focus on Conflicts of Interest; Branch Offices; Advisers Employing Bad Actors; Oversight of FINRA; Use of Data Analytics; and Cybersecurity
” (Jan. 26, 2017). For more on cybersecurity generally, see “Surveys Show Cyber Risk Remains High for Investment Advisers and Other Financial Services Firms Despite Preventative Measures
” (Jul. 20, 2017); and “Navigating the Intersection of ERISA Fiduciary Duties and Cybersecurity Data Breach Protections
” (Jun. 29, 2017).