Cybersecurity is a headache for private debt funds, and by extension for their administrators who often shoulder much of the cybersecurity burden, because of a perfect, though unenviable, combination of circumstances. Fund managers hold sensitive data; client expectations for the security of that data are high; many are small so they have limited human and financial resources to cope with the cybersecurity challenge.
Valerie Abend, managing director for advisory Accenture’s North America financial services security practice in Arlington, Virginia, summarises their predicament evocatively: “Financial services companies are obviously a little bit different from the rest of the world because it’s one thing to compromise the peanut seller down the street, and another thing to compromise a company that has a fiduciary responsibility on behalf of its clients to provide a level of assurance and expectation.”
Whereas a bank holding deposits for millions of customers will have hundreds of millions of dollars to spend on cybersecurity, even a moderately large debt fund may have just 50 people – and many are much smaller than that. If debt fund managers and their administrators were not worrying about this a few years ago, they are now, though they are generally reluctant to talk about this sensitive issue: several managers and administrators we contacted declined to comment for this piece.
The increase in concern is partly due to a string of well publicised cybersecurity breaches covered by the media. It also reflects an increased emphasis coming from regulators. The two trends coalesced when, in 2016, the financial media reported widely on the announcement by the Securities and Exchange Commission that Morgan Stanley had agreed to pay a $1 million fine for its failure to adopt written policies and procedures to protect customer data.
In 2014, senior executives at debt fund managers and other financial services companies began to take cybersecurity more seriously when the SEC issued a cybersecurity Risk Alert. “This was really the first time that the SEC came out with some- thing strong and clear about cybersecurity,” says Kristen Mathews, partner and specialist in cybersecurity at New York-based law firm Proskauer. This, and other guidance documents since then, make clear that financial services firms must have a formal cybersecurity programme, with someone responsible for evaluating what the firm is doing to prevent cybersecurity incidents.
Firms must also benchmark their programme against the industry standard, adds Mathews. For example, the current industry standard is that emails should be encrypted if they contain sensitive information, so fund managers need to do this.
These directives from the SEC add up to no mere empty declaration, says Josh Newville, a fellow partner at Proskauer and expert in securities regulation, enforcement and litigation.
“Since 2014 we have seen the SEC going in and asking registered advisors for copies of their cybersecurity policies,” he says. Newville adds that the SEC aims to cover 10 percent of registered advisers each year, through various types of examination.
The new emphasis on cybersecurity has a parallel across the Atlantic.The European General Data Protection Regulation, an EU directive that comes into force in May 2018, rules that where a company suffers a serious breach of data, it must tell the regulator and any individuals involved within 72 hours or risk a maximum fine of €20 million or 4 percent of global turnover – whichever is greater.
Not only does it have to tell the regulator; it must also disclose the data taken, how sensitive this is, and the volumes involved. “This is very difficult to do if you’re talking about a large amount of data,” says David McIlwaine, partner and specialist in IT law at London-based law firm Pinsent Masons. “You really have to get on top of what data is involved extremely quickly.”
However: “You need to treat this as a significant crisis and get the right team – lawyers, IT forensics, crisis managers and possibly HR, etc – to deal with things very quickly.”
McIlwaine agrees with the suggestion that dealing with this kind of breach is harder for smaller fund managers, because of the lack of resources. “The size of the organisation does play a part in how you approach it,” he says. “Some fund managers obviously are quite small but have to be incredibly careful because of the data they hold – particularly data on transactions.” He adds, ominously: “You see how they are targets: they may be less sophisticated in terms of technology, but if someone were to break through, the richness of that data is quite significant.”
Experts agree the solution for smaller fund managers lies at least to a degree in out- side help. “For the smaller institutions it probably makes sense to outsource parts of their security infrastructure, whether that’s specialists and general insurers. When it comes to this, Mathews of Proskauer says that the devil is in the detail.
“If you read the policies really carefully and have experience in this area you can find the gaps and fix them during the underwriting process,” she says.
This often involves definitions. Mathews quotes the example of terrorism, which is excluded from many policies. A fund manager might tussle with the insurer over whether hacks by state actors should be excluded under the definition of terrorism or not.
Similar negotiations are crucial to getting the best deal possible from third-party administrators, who may not give clients uncapped liabilities on data breaches, says Mathews. “They may say, ‘We will take the following measures to protect your data, and if we fail to do this we will cover you up to X amount.’”
This may all sound intimidating for fund managers. However, “we’ve handled a lot of data breaches over the years for investment firms and I don’t think it led to a lot of loss of investors”, says Mathews.
“Institutional investors put a lot of heat on the firm, asking a lot of questions such as,‘How could you let this happen, how can protection, detection, or even response and recovery,” says Vikram Bhat, principal and strategy and governance services leader at Deloitte Risk and Financial Advisory in Parsipanny, New Jersey. For a manager with 50 people, its small team of IT generalists is not enough. “This is a specialised space so they should tap into a specialised skill set,” says Bhat, though generalists can put in some basic controls on their own.
Fund managers can also protect themselves to an extent through cybersecurity insurance, which can be bought from both you prevent it happening again?.’”
However, “institutional investors face their own cybersecurity issues, and this has an impact on how they respond when a problem happens to somebody else”.
As an example, experts say institutional investors are often understanding, though still far from overjoyed, when a disgruntled employee leaks information. Abend of Accenture says the chances of this can be minimised through a “risk-based approach”, which monitors those people more likely than others to do this. “People make changes to businesses: people may be let go and people will have job changes,” she says. “So there are important moments when you do have to monitor people.”