The following article originally appeared in FundFire and was written by Lydia Tomkiw.
The Securities and Exchange Commission (SEC) has launched an exam sweep focusing on electronic messaging as part of its increased scrutiny on cybersecurity, forcing hedge funds to examine their policies and procedures, as well as how they train their employees on use of such applications, industry watchers say.
The new sweep is focusing on use of electronic messaging at managers, including third party applications such as WhatsApp, compliance policies and procedures regarding such use, record keeping, and data security. Letters sent from the SEC’s Office of Compliance Inspections and Examination are targeting hedge fund managers and other asset management firms, according to sources familiar with the matter.
As new technology continues to roll out, the financial industry needs to apply SEC recordkeeping rules to evolving communications mediums, says David Dickstein, a partner at Katten Muchin Rosenman.
“This is a logical step forward. It makes sense [SEC examiners] are interested in this now as the technology has become more prevalent,” Dickstein says.
A spokesperson for the SEC declined to comment. But the SEC has zeroed in on cybersecurity in recent years, wrapping up its second initiative in the area in recent weeks, finding that asset managers have improved preparations for cyber intrusions but that many have still failed to test key systems or adequately train staff, as reported.
With communications technology changing at a rapid pace, with options such as more accessible encryption or messages that automatically delete once viewed now readily available, firms are faced with fluid situations, says Vinod Paul, COO of Align Cybersecurity. Scenarios include employees sending an email that will be logged and archived describing one activity and then communicating over an app and doing the opposite, he says.
“It all goes back to the human firewall and educating your employees… that they can’t conduct any business unless it’s on an approved messaging system,” he says.
Following big insider trading cases in recent years and the possibility of fraud or false representations being committed over electronic communications, regulators could zero in on these issues at hedge funds, sources say.
The hedge fund industry is still seeing wide-ranging levels of institutionalization of operations across firms, but some are still catching up and might not have all the resources needed to ensure proper monitoring, says David Vaughan, a partner at Dechert focused on investment management. Hedge funds should look at their policies and procedures around communication and conduct annual reviews, he says.
“The days of just using email are probably numbered, if not already over, and people just have to find a way to police it and archive it,” Vaughan says.
Firms need to think about their policies regarding the use of personal email and devices and how far they are willing to go to ensure a reasonable level of compliance, he adds.
“The most useful thing for most clients is training. Get everybody in a room, try to focus them… and say, ‘You shouldn’t be doing XYZ. You shouldn’t be using WhatsApp or other apps that aren’t approved,’” Vaughan says.
Firms should be keeping track of records for at least five years from the time the record was altered to comply with rules, says Danielle Joseph, a director at ACA Compliance Group and former SEC compliance examiner. While many firms have policies in place, they are also having discussions about enhancing them and exploring what information can be archived from different applications with vendors, she says.
“We continue to recommend if something can’t be archived you shouldn’t be conducting business over it,” she says.
Regulators will immediately be curious if in the course of a review they see an email saying ‘Check WhatsApp.’ “It makes me suspicious. I think it’s important to tell staff when you do something like that even if you’re acting innocently… it would make a SEC examiner think twice,” she says.
Focusing on third-party messaging applications is the continuation of a long line of areas the SEC has looked at over the years including fax logs, says Ernest Badway, a litigation attorney who is co-chair of Fox Rothschild’s securities industry practice.
“I don’t think it’s earth-shattering,” he says. “I always say everything is fair game and they are going to ask for it – not just the typical stuff but other stuff you don’t think is covered.”
One area firms will have to focus on is what happens when they catch employees – through random checks or other means – violating their electronic communications policies, Badway says. “People [use third-party apps] all the time, but the question is if they get caught what happens to them?”
Following a sweep, many scenarios could play out, from enforcement cases to the SEC issuing a report and providing guidance to the industry, Vaughan says.
Hedge funds should be prepared for scrutiny over electronic communications to continue for the foreseeable future, Joseph says.
“This isn’t going away any time soon,” she says of the SEC’s focus on cyber issues. “Regulators have taken notice… Establishing strong controls will be helpful in mitigating any risks and meeting the expectations of the regulators.”