CYBER SECURITY BECOMES A FOCUS FOR FINANCIAL REGULATORS: Contracts with Vendors and Service Providers Under Scrutiny



Frenkel Sukhman LLP

May 1, 2015

Investment funds, broker/dealers, and other financial service companies face serious cyber security threats to the safety of their confidential and proprietary information and, indirectly, even more dramatic threats to their operations, both from within their organizations and from the outside.   While preparing to combat these threats is a good business practice in itself, such companies should pay heed to the fact that regulators have begun to address their obligations in data protection, making institutional information security preparedness a discrete compliance and potentially legal issue.  Following last year’s well-publicized cyberattacks on JPMorgan and other banks, the regulatory interest in strengthening protection against cyber criminals has received a new impetus, from the U.S. Treasury Department down to state financial regulators.

The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (“Risk Alert”) on February 3, 2015, providing observations derived from the sweep examinations in 2014 of over 100 registered broker-dealers and investment advisers that were undertaken to assess their cybersecurity practices and preparedness. The Risk Alert does not provide substantive requirements in the subject of cyber security preparedness. However, it signals that cybersecurity is one of OCIE’s top 2015 exam priorities, and that all SEC registrants will want to review their preparedness for a cyber exam.  As part of its cyber sweep initiative OCIE staff tested the level of preparedness of the examined firms by reviewing certain practices and procedures. These included written information security policies and procedures, periodic audits to assess compliance, risk assessments, mapping technology resources, encryption and password techniques and cybersecurity insurance.

It is noteworthy that most registrants reported cyber attacks (majority of which arose from malware and fraudulent e-mails) directly or through one or more vendors. Although most registrants’ policies require cybersecurity risk assessments of vendors with access to their proprietary information and operations, only some have such requirements for vendors. Even fewer (24%) investment advisers do so according to the OCIE initiative’s findings.   The inclusion of certain questions in OCIE examinations regarding contracts with vendors and business partners and requests for the description of contractual information security requirements and sample copies seem to indicate that the SEC encourages its registrants to take a more active position in negotiating stronger contractual protection in dealings with IT service firms and other vendors who have access to their networks and data. The odds are that many firms will experience one or more instances of unauthorized access to their computer systems and that their data and/or operations will be compromised as a result.

Financial Industry Regulatory Authority (FINRA) published a detailed report, “Report on Cybersecurity Practices” on the same date as the SEC, identifying effective practices for dealing with cybersecurity threats by its members, a result of its own targeted examinations and initiatives.  The FINRA report focuses on third-party vendor risks as well and calls for efforts to closely research and evaluate third-party vendors, preferably before they are engaged and periodically thereafter. Member firms are requested to review due diligence procedures for selecting vendors, and procedures to approve and monitor vendor access to firm networks, customer data and other sensitive information. As part of the due diligence review, copies of the vendors’ written information security plans and certifications of compliance with applicable standards should be obtained. Vendor contracts should be reviewed for inclusion of appropriate terms on security measures, including incident response notification procedures and cyber insurance coverage.

In May 2014, the New York State Department of Financial Services (“NYSDFS”) published a report titled “Report on Cyber Security in the Banking Sector” that described the findings of its survey of more than 150 banking organizations and isolated the industry’s reliance on third-party service providers for critical banking functions as a continuing challenge. NYSDFS has announced that it will be scrutinizing cyber-security as an integral part of its bank examinations, and is asking banks to prepare responses to a specific set of questions and information-requests on their security practices and procedures for purposes of the examinations.  NYSDFS is also considering cyber security requirements for financial institutions that would specifically apply to their relationships with third-party service providers.

While the Risk Alert should not be viewed as a summary of industry norms or best practices for the SEC registrants, it is a useful document that provides a glimpse into the regulator’s mindset.  Given that cybersecurity is one of OCIE’s top 2015 exam priorities for all SEC registrants regardless of their form, investment advisers as well as broker/dealers should review their preparedness for a cyber exam and make such improvements as may be needed on the basis of the review. One of the key areas for such improvements is contractual relationships with its key vendors and third party IT service, data and other technical or content providers.  Upgrading the firms’ contractual protection may take a significant amount of time and effort as it is likely to require negotiation with several third parties whose counsel may not be aware of the new regulatory attention bestowed on cyber security and the need to assume at least some of the responsibility for the improvements.  Different types of contracts will require different amendments depending on the nature of services, the service provider’s access to the client’s data, computer systems and operations, and other factors.

Along with internal preparedness for cyber attacks, bolstering the financial institution’s legal position vis-à-vis third party service providers is one of the principal tools in fending off potential civil litigation, regulatory inquiries and administrative enforcement action and protecting against resulting financial and reputational harm.  The results of the OCIE study show that 88% of the broker-dealers and 74% of investment advisers surveyed have already been victims of some form of a cyber attack so both the risk to financial institutions’ information security and the risk of attendant legal and regulatory repercussions are very real.


Frenkel Sukhman LLP advises its fund and other clients in the financial services and other industries on cyber security issues and helps them to minimize regulatory and legal exposure from cyber security threats with its attorneys drafting, reviewing and negotiating service, outsourcing, licensing and other agreements on the regular basis.

“Gardening Leave” Should Not Involve Lunching or Other Social Activities with Your Former Colleagues

While the term “gardening leave” or “garden leave” is thought to be an English import to the New World, some U.S. fund managers and other financial institutions have been using gardening leave provisions in their employment agreements in all but a name.  Under a “gardening leave” clause the employee is required to give the employer a certain notice prior to departure from the firm following which the employee is placed on a salaried leave of absence and is forbidden to work for competitors and to engage in certain other activities.  The name for this contractual device originates in the idea that the employee is paid to stay at home and tend to a garden rather than engage in a conduct the employer might find objectionable.  One basic distinction between gardening leave provisions and restrictive covenants following separation is that the terminated employee (whether by his or her own volition or by the employer) technically remains in an employment status during the period of the leave and continues to be compensated as before but is subject to greatly reduced (if not completely eliminated) job duties and lack of access to the employer’s offices, facilities, and personnel.

A case involving just this kind of clause is currently pending before the London High Court.  The employee in that case is Fahim Imam-Sadeque, the former head of sales for the UK, Middle East and Australia for BlueBay Asset Management, one of Europe’s largest specialist managers of fixed-income credit and alternative products, managing assets of more than £24billion.  Mr. Imam-Sadeque reportedly left the firm in December 2011 after having signed an agreement that was said to contain a gardening leave for a period of six months from the date he gave notice in July 2011 after he had accepted an offer to join a competitor, Goldbridge Capital Partners, as head of sales and marketing from January 2012.  As a reward for staying home in his English garden, during the term of the leave he was entitled to continued salary and to other compensation, including fund shares worth £1.7million.  While he continued to be a BlueBay employee, he was subject to a range of the common restrictive covenants, such as non-competition, non-solicitation and non-poaching.  It is the latter restriction that Mr. Imam-Sadeque reportedly violated in the course of having lunch with a current BlueBay employee, Damian Nixon, whom he sought out in a number of emails.

While we do not know what actually transpired during this December lunch, BlueBay clearly interpreted it as more than an exchange of season’s greetings and refused to turn over the accrued compensation, including deferred fund shares to Mr. Imam-Sadeque, claiming a breach  of the anti-poaching provisions of his contract.  BlueBay also claimed Mr. Imam-Sadeque had allowed Goldbridge to issue inaccurate and misleading references to himself and other BlueBay staff, with Goldbridge saying he no longer worked for BlueBay when he did so.  Not surprisingly, Mr. Imam-Sadeque has brought suit against BlueBay claiming that he did nothing wrong by having lunch with Mr. Nixon, and that BlueBay is wrongfully withholding his deferred compensation.

The lesson of this pending case, regardless of its outcome, which is more likely than not will turn on the employer’s ability to secure Mr. Nixon’s (its current employee) cooperation as a witness, is that gardening leaves serve a useful purpose for both the employer and the employee but should not be abused by either.  Employers can obtain a stronger legal protection by way of restrictive covenants when they continue paying the departing employee and in exchange get the privilege of counting him or her as a current (if not active) employee during the term of the leave because most legal challenges to the validity and enforceability of such restrictive covenants lose their potency precisely due to continued consideration being paid by the employer and the unambiguous employment status of the departing employee.  Furthermore, gardening leaves can offer greater protection against misappropriation of the employer’s confidential information and trade secrets because employees on leave are effectively kept away from the most current information, being denied access to the employer’s offices, files or networks as well as its employees, suppliers, customers, investors, and other counter-parties and as current employees are generally subject to greater control by the employer than former employees.  Employees also benefit by having a paid leave with full insurance coverage and often other benefits once they serve a termination notice on their employer before they completely sever the ties with the old employer and get to start with a new employer (or a new career in gardening or elsewhere).

However, once either party overreaches, the bargain of certainty and predictability is lost, and the courts are liable to step in with their own vision of what is just and fair in a given fact pattern.  U.K. courts have generally enforced gardening leave provisions with both injunctions against prohibited employee conduct and by upholding the employer’s right to withhold contractual compensation in the event of a material breach by the employee.  A typical U.K. Service Agreement for investment fund professionals and managers uses a fairly broad language for its anti-poaching clause of the garden leave provisions, such as:

“The Employee covenants with the Company that the Employee will not directly or indirectly on Employee’s own account or on behalf of or in conjunction with any person for a period of __ months after the Termination Date induce or attempt to induce any employee to whom this paragraph applies to leave the employment of the Company (whether or not this would be a breach of contract by such employee).”

It may also be possible to use more specific language prohibiting any contact by the employee who gave termination notice with any of the employer’s employees, directors, officers, investors, customers, suppliers, and service providers, re-defining the employee’s duties and obligations and so on.  It is unknown at this point whether the BlueBay employment agreement in question contained such language, but conceivably even the less-specific language reproduced above may subject the former employee to liability when sufficient evidence is introduced as to his or her attempts to poach the company’s employees or to violate the no-contact provisions of the contract.  What is clear is that any employee who voluntarily signs a contract with such provisions should steer clear of the employer’s business and employees until the gardening leave is over to protect his or her entitlement to deferred compensation and to avoid litigation.

In the U.S., gardening leave clauses are used more rarely than in the U.K. and almost exclusively with executive management and professional positions, including those in the financial services industry.  They are sometimes called “sitting out” clauses.  As in the U.K., courts in the U.S. generally find them valid and enforceable because the continued compensation dispenses with the challenge based on the lack of a “safety net” for the employee and gardening leave provisions are therefore a safer bet for the employer than pure post-separation restrictive covenants where no additional compensation is paid to the severed employee.  However, the reasonableness test still applies, and the period of the leave as well as the need for and the scope of the employer’s protection may still be scrutinized by a court.  U.S. employers rarely go beyond the 6 months term, and 2-3 months terms are more typical.  In addition, a number of cases raise special concerns with the availability of specific performance to enforce the garden leave which provides for some limited services to be continued to be performed for the benefit of the former employer during the transitional period (as opposed to an injunction against an employee who accepts an employment offer from a competitor and attempts to commence new employment during the period of the garden leave) as an involuntary servitude.  Money damages (including a setoff of deferred compensation) are much less controversial as a legal remedy and should serve as sufficient deterrent against potential violations on the part of competitors and former employees alike.  New York courts consistently rejected plaintiffs’ arguments that the employment exclusion effect of properly drafted garden leaves may make it difficult to resume work due to lost skills.  In addition, the scale of compensation typically granted hedge fund and private equity fund executives makes it very difficult for the executives in between jobs to get the sympathy of a judge or a jury in the absence of a truly despicable conduct on the part of the employer.

It should be remembered that there has been limited guidance from U.S. courts on the pure U.K.-style gardening leave provisions, and U.S. employers should exercise caution in including such provisions into U.S. employment or separation agreements and seek advice of U.S. counsel on their effect under local state law.  We have been involved in preparation, negotiation and litigation of such agreements on behalf of both hedge and private equity fund employers and their employees and would be pleased to assist you with your legal needs in this area.

Avoid the Urge to Overreach in Restrictive Covenants in Employment Agreements

A recent (September 2011) New York case, Novus Partners v. Vainchenker, illustrates the difficulty of enforcing overly broad restrictive covenants in the employment context relevant to hedge funds and other private fund entities.  In this case, an employee of a hedge fund research company left to work for a competitor and was promptly accused by his former employer of violating confidentiality, non-competition and non-solicitation clauses of his employment agreement among other claims.  After suing both the ex-employee and his new employer (who was sent a notice apprising it of its new employee’s breach of contract), the plaintiff was faced with a challenge from the defendants by way of a motion to dismiss that attacked the legal sufficiency of the agreements signed by the ex-employee.

As we all know, employers like to protect themselves against this very situation with what they view as “iron-clad” contractual provisions that they offer to employees as part of their employment package and that employees (short of very few executive-level employees) tend not to negotiate.  Which is all well and good.  We certainly encourage our employer clients to arm themselves with the appropriately-drafted restrictive covenants at every stage of interaction with employees, independent contractors and service providers (normally when they enter into employment or service agreements and, upon termination, in separation or termination agreements).  However, care must be taken not to have our defensive instincts get the better of us.  New York courts, as well as courts in other states, scrutinize restrictive covenants when they are being used against former employees and may refuse to enforce them when they are seen as overly broad, unreasonable or (probably rare in the investment fund industry given the scale of typical compensation packages) unconscionable.  

Failure to follow the basic principles may make it more difficult (read expensive) to enforce these covenants or may make them completely unenforceable.  In fact, the latter is what happened in this case, where on a motion to dismiss the plaintiff (former employer) was ordered to re-plead one of its claims for the sin of seeking to enforce an overly broad non-solicitation clause related to the employer’s clients. 

So the lessons of this case for the investment fund industry employers can be summed up as follows:

  1. Geographic limitations not crucial in the context of investment management industry.   These are not terribly relevant for the alternative investments industry, which is spread widely across the major financial centers of the globe.    Most of the successful challenges to these have to do with the duration (the 1 year term here was not viewed by this court as excessive) and with the scope (apparently the nature of the hedge fund research services offered by the former employer here was sufficiently specialized not to cause offence).
  2. Scope of non-solicitation limited to clients directly known to ex-employee.  With respect to the language of the non-solicitation clause the judge held that the clause must be limited to those clients of the former employer with whom the defendant ex-employee had some contact in his prior job.  While we do not advise to limit non-solicitation clauses so that they only prohibit solicitation of those clients with whom the employee has had a business relationship in every instance, the given employee’s direct exposure to the employer’s clients and the nature of the client list should be consider.  In this case, the judge noted that the ex-employee never had much of an exposure to many of his former employer’s clients.  The judge also stated that the restriction as drafted would effectively prevent the ex-employee from soliciting any of the hedge funds for the fear of unwittingly violating this clause.  On the other hand, the court found the defendant ex-employee’s effort to induce another employee of the plaintiff employer to leave and go work at his new employer a clear violation of the non-solicitation clause. 
  3. Broad confidentiality language subject to scrutiny.  While the benefit of a well-drafted confidentiality clause is clear in this context the plaintiff employer did face a challenge from the ex-employee (and the court) related to the over-broad language of the NDA in question.  This issue comes up quite often in our practice when we try to convince our (employer) clients to be reasonable when it comes to the scope of what constitutes confidential information to be protected against disclosure and/or misuse by their employees.  The simple reason for being cautious here is that when it comes to matching facts of the case to the contractual obligation you don’t want to be arguing that just because everything you deem confidential deserves to be protected b.  For example, while the judge here allowed the claim based on the confidentiality clause to proceed, the court spoke derisively of the extent of protection afforded to client lists when a business’s customers can be easily determined.  Proprietary software, on the other hand, was easily classifiable as a trade secret and deserving of legal protection.    

The reason for the additional scrutiny given to these restrictive covenants is that in ruling on these claims a variety of equitable considerations come into play.   The key to a smooth and cost-efficient enforcement lies in customizing these clauses to the specific circumstances of each employer’s business and each employee’s position.  Using a balanced approach in drafting restrictive covenants serves to deprive former employees of the ability to challenge their validity as a tactic to delaying or avoiding enforcement.  This is one situation where employers should not be using “one size fits all” standard form agreements.  As counsel to both employers and employees in the private fund industry we regularly negotiate restrictive covenants in the employment context and review them for potential employers considering a hire subject to these restrictions.  After all, given the entrepreneurial spirit in this industry, employees of the yesteryear often become future employers and so the cycle of relying on the enforceability of restrictive covenants to protect one’s business continues.

Beyond Confidentiality: the private equity bidders’ experience with Yahoo!

A lesson from the recently reported Yahoo! sale process: carefully review and negotiate your NDAs!  As Yahoo! illustrates, confidentiality agreements can reach well beyond mere confidentiality and can affect not only the process but the potential outcome of a sale.

Confidentiality agreements, as we all know, are the life blood of private equity and, generally, M&A transactions.  In a typical NDA, the recipient agrees to keep information confidential and to limit its use to the transaction under consideration.  However, not infrequently, the disclosing party will include additional restrictions on the recipient which go well beyond confidentiality.  Common examples include non-circumvention (e.g., with respect to a particular target or subject), non-solicitation of employees, and no contact with the acquisition target (or borrower, if the transaction involves debt) as well as its customers, suppliers, vendors, etc.

These restrictive provisions are designed to protect the legitimate business interests of the target company by preventing, for instance, damaging rumors and employee and customer defections.  They may also serve to protect the interests of the broker or introducing party with respect to a particular opportunity. Occasionally, however, the disclosing party may seek to include in the NDA a provision which is primarily designed to influence the sale process.  As has been widely reported, Yahoo! included just such a provision—no “cross talk” as it has been described—into the NDAs circulated to potential private equity bidders.  

As reported, this no cross-talk provision precludes the potential bidders from speaking to each other regarding the potential transaction (presumably, whether or not confidential information is disclosed in the course of such conversations).  What is Yahoo!’s possible motivation for including such a provision in the NDA?  It is, almost certainly, a business consideration – the desire to influence the bidding process and, indeed, the likely outcome of the sale.  Given Yahoo!’s market capitalization of $20 billion, if the bidders are not able to discuss potential co-investment agreements, it makes it much less likely that any private equity bidder would be able to make an offer for 100% of the equity.  Not surprisingly, many potential private equity bidders balked at this restriction.  The one private equity sponsor who has reportedly agreed to this restriction in the NDA is TPG Capital which, as reported, is specifically interested in a minority stake.

From our perspective, as buy-side counsel, we strongly encourage our private equity and hedge fund clients to review and negotiate all NDAs, whether in M&A, private equity, distressed debt, real estate or other contexts.  As this case amply illustrates, the restrictions contained in many confidentiality agreements go well beyond confidentiality and may significantly impact one’s ability to evaluate and consummate a potential transaction (and, indeed, influence what kind of transaction or bidder is likely to succeed).