After the Securities and Exchange Commission (SEC) last week proposed new cybersecurity rules to oversee how alternative investments or private capital firms manage risk, industry experts are generally nodding in agreement with the move.
Under the leadership of SEC Chair Gary Gensler, the commission voted on Feb. 9 to propose a new set of rules, aimed at registered investment companies, registered investment advisers and business development companies or funds that would require concrete cybersecurity policies and procedures that would essentially bring this segment of the financial industry more in line with other areas. The new rules would also demand that advisers report to the SEC cybersecurity incidents that impact themselves, the firm or fund or their clients.
"Cyber risk relates to each part of the SEC’s three-part mission, and in particular to our goals of protecting investors and maintaining orderly markets," Gensler said in a news release. "The proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."
Specifically, the suggested SEC compliance would require: investment advisers and funds to adopt and implement written cybersecurity policies and procedures for cybersecurity risks and incidents; related record-keeping for advisers and funds, as well as confidential reporting to the SEC in the case of certain cybersecurity incidents; and disclosure by advisers on marketing materials and registration statements about particular incidents.
Padraic O’Reilly, co-founder and chief product officer for CyberSaint Security, a risk management and compliance company, pointed out that most private equity and investment firms should be on board with this new proposed compliance. However, given that these added “cyber requirements for these [firms] have not been terribly stringent to date,” this still represents a significant change — although not “too burdensome either” based on the language in the announcement.
“This is a very reasonable announcement with respect to cyber hygiene in the PE [private equity] space,” O’Reilly said. “Generally, PE and investment firms are already bought in on cyber. It is a major component of merger and acquisition activities and the big consultancies are often brought in to evaluate the cyber posture of potential acquisitions.”
On the other hand, some industry insiders see this as a huge shift for private equity firms and advisers, who have largely been left to the honor system when it comes to managing and mitigating cybersecurity risk and reporting incidents up until recently.
“The alternative investment world has not operated under [cybersecurity] rules so much as guidance,” said Terry Mason, director of HKA, a consultancy for regulatory issues in this area, adding that he was “surprised” there had not been more defined rules around cyber-compliance and reporting until now. “Now, it seems there will be enforcement and transparency... which is reasonable.”
There is no doubt that financial firms in general are committing increasingly more budget on breach mitigation, cyber-education and reporting demands, but according a March 2020 study on cyber resilience study by McKinsey & Co., 58% of financial institution executives admit that they are “underspending” on their IT security efforts.
Private equity and investment firms have been “traditionally less rigorous when it comes to security, because they are more focused on turning a profit,” according to Yossi Barkalifa, chief information security officer for Laika, a compliance and IT security company backed by JP Morgan and PayPal. However, that outlook needs to change, he said.
“Businesses in this sector should look at cyber risk as a serious threat to their business, and make risk-based decisions from a cybersecurity perspective as well as a financial perspective,” Barkalifa said. “Cybersecurity is pervasive throughout any company that stores or transmits sensitive information.”
Private equity and investment firms are no exception, Barkalifa added. “And any breach can result in negative return on investment, millions of dollars lost and compromised identities.”
O’Reilly predicts there will not be “a great deal of pushback on the general need for cyber requirements at the level of the firm, but there will likely be some haggling in the comments period over what it means to report a cyber incident and the timelines involved, [which] has been a bone of contention for other financial sectors."