Not a Lexis Advance subscriber? Try it out for free.
LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
The cybersecurity of hedge fund data is now a front-burner issue for many firms. In the wake of recent NSA leaks, privacy breaches and hacking scandals, both the regulators and the firms themselves have moved this up in the list of concerns. Issues relate to both the integrity of internal hedge fund data, as well as data being reported outside of the organization itself.
In April, 2014, the SEC’s Office of Compliance Inspections and Examinations announced in a Risk Alert that it would conduct a sweep exam of broker-dealers and registered investment advisers on the topic of cybersecurity, with the stated goal of ensuring the integrity of the markets and protection of customer data, The Risk Alert contained a detailed list of possible areas of focus, including:
This SEC sweep announcement was prepared following a Cybersecurity Roundtable held in March 2014. With speaker panels containing representatives of major industry participants, the Roundtable focused primarily on how industry participants can work with government to establish better cybersecurity protocols within their own companies. There was lots of talk about “castles and moats”, “cyber 911′s”, “ring-fencing” and “cyber hygiene”, but little discussion of the hedge fund industry specifically.
In addition, the CFTC released similar guidance in March, with the issuance of principles related to protection of customer information.
In the final analysis, the typical hedge fund cybersecurity program will likely look a lot different than that of a broker-dealer or even a very large asset manager. This is because a large portion of a group’s data (whether trading-related or investor-related) may actually reside with trading partners or fund administrators. In addition, a large number of hedge funds, particularly the smaller fund groups, rely on outside IT providers, rather than employees, adding an additional layer of complexity to the establishment of a cybersecurity program.
In a related area, hedge funds are currently, or soon will be, reporting a tremendous amount of data into government agencies. Examples include:
As an example of the extent of data being collected, in a July, 2013 report to Congress, the SEC reported that by May 2013, it had collected Form PF data on 6,683 hedge funds with over $4 trillion in regulatory assets under management. Approximately 4,000 hedge fund advisers are now registered with the SEC, providing Form ADV information. The ADV and Form PF data is reported into the SEC using FINRA’s IARD system.
In the EU, beginning in 2015, non-EU funds that are going to be marketed into the EU will have to provide Annex IV reporting to the relevant EU member state, which involves reporting of data similar to the Form PF, but in some cases will be more extensive. These reports are currently slated to be submitted primarily by email, although an encryption function may be available, and more direct reporting systems may be implemented in the future.
In the US, government efforts have ramped up to address cybersecurity, including the public/private National Cyber Investigator Joint Task Force and implementation of the National Institutes of Standards and Technology (NIST) security framework pursuant to a 2013 Executive Order. To the best of our knowledge, there have been no reports of any breaches of the US systems collecting hedge fund data.
Read more articles about the hedge fund industry and related legal issues at Hedge Rows, a blog by Judith Gross.
For more information about LexisNexis products and solutions, please connect with us through our corporate site.