CYBER SECURITY BECOMES A FOCUS FOR FINANCIAL REGULATORS: Contracts with Vendors and Service Providers Under Scrutiny



Frenkel Sukhman LLP

May 1, 2015

Investment funds, broker/dealers, and other financial service companies face serious cyber security threats to the safety of their confidential and proprietary information and, indirectly, even more dramatic threats to their operations, both from within their organizations and from the outside.   While preparing to combat these threats is a good business practice in itself, such companies should pay heed to the fact that regulators have begun to address their obligations in data protection, making institutional information security preparedness a discrete compliance and potentially legal issue.  Following last year’s well-publicized cyberattacks on JPMorgan and other banks, the regulatory interest in strengthening protection against cyber criminals has received a new impetus, from the U.S. Treasury Department down to state financial regulators.

The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (“Risk Alert”) on February 3, 2015, providing observations derived from the sweep examinations in 2014 of over 100 registered broker-dealers and investment advisers that were undertaken to assess their cybersecurity practices and preparedness. The Risk Alert does not provide substantive requirements in the subject of cyber security preparedness. However, it signals that cybersecurity is one of OCIE’s top 2015 exam priorities, and that all SEC registrants will want to review their preparedness for a cyber exam.  As part of its cyber sweep initiative OCIE staff tested the level of preparedness of the examined firms by reviewing certain practices and procedures. These included written information security policies and procedures, periodic audits to assess compliance, risk assessments, mapping technology resources, encryption and password techniques and cybersecurity insurance.

It is noteworthy that most registrants reported cyber attacks (majority of which arose from malware and fraudulent e-mails) directly or through one or more vendors. Although most registrants’ policies require cybersecurity risk assessments of vendors with access to their proprietary information and operations, only some have such requirements for vendors. Even fewer (24%) investment advisers do so according to the OCIE initiative’s findings.   The inclusion of certain questions in OCIE examinations regarding contracts with vendors and business partners and requests for the description of contractual information security requirements and sample copies seem to indicate that the SEC encourages its registrants to take a more active position in negotiating stronger contractual protection in dealings with IT service firms and other vendors who have access to their networks and data. The odds are that many firms will experience one or more instances of unauthorized access to their computer systems and that their data and/or operations will be compromised as a result.

Financial Industry Regulatory Authority (FINRA) published a detailed report, “Report on Cybersecurity Practices” on the same date as the SEC, identifying effective practices for dealing with cybersecurity threats by its members, a result of its own targeted examinations and initiatives.  The FINRA report focuses on third-party vendor risks as well and calls for efforts to closely research and evaluate third-party vendors, preferably before they are engaged and periodically thereafter. Member firms are requested to review due diligence procedures for selecting vendors, and procedures to approve and monitor vendor access to firm networks, customer data and other sensitive information. As part of the due diligence review, copies of the vendors’ written information security plans and certifications of compliance with applicable standards should be obtained. Vendor contracts should be reviewed for inclusion of appropriate terms on security measures, including incident response notification procedures and cyber insurance coverage.

In May 2014, the New York State Department of Financial Services (“NYSDFS”) published a report titled “Report on Cyber Security in the Banking Sector” that described the findings of its survey of more than 150 banking organizations and isolated the industry’s reliance on third-party service providers for critical banking functions as a continuing challenge. NYSDFS has announced that it will be scrutinizing cyber-security as an integral part of its bank examinations, and is asking banks to prepare responses to a specific set of questions and information-requests on their security practices and procedures for purposes of the examinations.  NYSDFS is also considering cyber security requirements for financial institutions that would specifically apply to their relationships with third-party service providers.

While the Risk Alert should not be viewed as a summary of industry norms or best practices for the SEC registrants, it is a useful document that provides a glimpse into the regulator’s mindset.  Given that cybersecurity is one of OCIE’s top 2015 exam priorities for all SEC registrants regardless of their form, investment advisers as well as broker/dealers should review their preparedness for a cyber exam and make such improvements as may be needed on the basis of the review. One of the key areas for such improvements is contractual relationships with its key vendors and third party IT service, data and other technical or content providers.  Upgrading the firms’ contractual protection may take a significant amount of time and effort as it is likely to require negotiation with several third parties whose counsel may not be aware of the new regulatory attention bestowed on cyber security and the need to assume at least some of the responsibility for the improvements.  Different types of contracts will require different amendments depending on the nature of services, the service provider’s access to the client’s data, computer systems and operations, and other factors.

Along with internal preparedness for cyber attacks, bolstering the financial institution’s legal position vis-à-vis third party service providers is one of the principal tools in fending off potential civil litigation, regulatory inquiries and administrative enforcement action and protecting against resulting financial and reputational harm.  The results of the OCIE study show that 88% of the broker-dealers and 74% of investment advisers surveyed have already been victims of some form of a cyber attack so both the risk to financial institutions’ information security and the risk of attendant legal and regulatory repercussions are very real.


Frenkel Sukhman LLP advises its fund and other clients in the financial services and other industries on cyber security issues and helps them to minimize regulatory and legal exposure from cyber security threats with its attorneys drafting, reviewing and negotiating service, outsourcing, licensing and other agreements on the regular basis.

New Reporting Requirements for Newly-Registered and Exempt Investment Advisers

As a result of the implementation of new registration requirements adopted by the U.S. Securities and Exchange Commission (SEC) implementing certain provisions of The Private Fund Investment Advisers Registration Act of 2010 (“Title IV”) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Act”), some 3,000 advisers were required to register with the SEC in early 2012.  Those of these newly registered investment advisers are now subject to a wide range of reporting obligations, including on Form PF, the rules (the “Rules”) for which were newly adopted by the SEC in late 2011 to help monitor systemic risk in the U.S. financial system.  The Rules, however, apply not only to those financial institutions that are “too big to fail” but also to much smaller private fund advisors which have never been subject to SEC registration or this level of regulatory oversight and which now have to provide much greater disclosure to the regulators.  Moreover, the new private fund adviser exemption under the Rules, while exempting some advisers from registration with the SEC (often at the cost of state registration), no longer completely frees such exempt advisers, regardless of the size of their AUM, from reporting requirements, preventing them from “flying under the radar” as far as public disclosure of their investment operations is concerned.

The key innovation and, for many, a serious hurdle, in the new reporting requirements for all SEC-registered investment advisers is Form PF.  With respect to newly registered advisers, many of which managed relatively small funds, in particular, the Rules will require so-called “smaller” investment advisers (managing between $150 million and $1.5 billion in AUM) to report extensive information to the SEC on Form PF about the private funds they advise.  Form PF is designed to supplement Form ADV, which was also revised in 2011 to include substantial information about private funds advised by reporting advisers.  Although Form PF has been significantly streamlined from the original version as it appeared in the SEC Proposing Release,  it continues to represent an arduous task for smaller advisers without organizational resources to manage the new reporting process.

The information requested on Form PF is quite detailed and extensive and may require advisers to alter their compliance policies and procedures and, possibly, even to revise their recordkeeping systems.  It calls for disclosure about the management company, the assets under management and fund performance.  As adopted, however, Form PF generally permits advisers to rely on existing systems to provide information, a notable difference compared to the requirements proposed earlier.  In particular, Form PF removed the proposed requirement that submitting officials of the adviser certify, under penalty of perjury, the information contained therein.  An adviser is not required to update information that was provided in good faith at the time of submitting Form PF even if such information was subsequently revised for recordkeeping, risk management, or investor reporting purposes.  Although reporting advisers may only have to submit Form PF to the SEC on a quarterly or annual basis, much of the required information may need to be gathered monthly.

Smaller advisers are only required to complete Section 1 of Form PF, which calls for the provision of general identifying information, assets under management, size, leverage and performance information for each private fund and also basic information on hedge funds. Advisers must also provide information about related persons and their large trader identification numbers. With respect to each private fund, advisers must provide gross and net assets, derivative positions, borrowings, concentration of equity holders, investments in private funds and parallel managed accounts, performance information (with the same frequency with which the advisers already calculate performance), beneficial ownership, assets and liabilities, investment strategies (including use of high-frequency strategies) and counterparty exposures.  Although information submitted on Form PF is nonpublic and not subject to Freedom of Information Act requests, it is not completely confidential.  The SEC may use the information in enforcement actions and it may be accessed by various federal departments and agencies.

Advisers potentially subject to Form PF reporting have some time to review their structures and determine their status and subsequent reporting requirements (advisers to smaller funds with less than $1.5 billion in assets will make the first Form PF filings on April 30, 2013 assuming calendar fiscal year).  Nonetheless, because of the substantial reporting requirements, advisers should begin reviewing Form PF now to ensure that their internal systems are appropriately designed to capture necessary information before their applicable deadline looms close.  The advisers solely to private funds with less than $150 million in AUM, venture capital funds and family offices, among others, will not be required to file Form PF, provided that such advisers satisfy the definitional requirements under the Rules.  

Advisers to funds that qualify as venture capital funds under the definition contained in Rule 203(I)-1, and are therefore excluded from the definition of “investment adviser,” do not have any obligations to file Form PF.  Qualifying for this exemption has been made somewhat easier in the Rules as compared with the original SEC proposal largely due to the use of a 20% basket for non-qualifying investments and abandoned requirement for management involvement in portfolio companies.  Still, venture capital fund advisers would need to determine whether the funds they manage meet the new requirements under the Rules or under the grandfathering provisions of the Rules.  Similarly, advisers that qualify as “family offices” under Section 202(a)(11)(G) and the recently adopted Rule 202(a)(11)(G)-1 do not have any obligations with respect to Form PF.  Although not every “family office” would automatically qualify under this rule, advisers should carefully consider its requirements and, if necessary, take steps to alter their structure or operations to qualify for the Section 202(a)(11)(G) exception or for other Section 202(a)(11) exceptions in order to avoid Form PF filing obligations.  Foreign SEC-registered advisers with minimal U.S. assets under management may be able to reorganize those U.S. assets into a separate fund that is offered only to U.S. investors, which could avoid Form PF filing requirements (if it has less than $150 million of U.S. assets under management) regardless of the total AUM of such advisers.

It should be noted that, apart from Form PF, the SEC has imposed certain reporting requirements applicable even to the investment advisers exempt from registration under the Rules, such as those advisers with less than $25 million in AUM.  For example, exempt advisers, must comply with the reporting requirements by filing reports with the SEC through completing specific items on Part IA of Form ADV (but not Part II) and filing amendments to Form ADV.   These reports are publicly available on the SEC website.  The value of assets under management is to be calculated by reference to Form ADV and is generally equal to the fair market value of the assets of the qualifying private funds, plus the amount of uncalled capital commitments.  In a change from the quarterly calculation originally proposed, advisers are required to determine the value of assets that they manage on an annual basis.  Recordkeeping obligations of exempt investment advisers are yet to be specifically addressed by the SEC.