February 6, 2018

Fall from Grace: How Bad Cybersecurity Controls Led to a Data Breach and Almost $1M in Fines

by: John Araneo



Photo Credit: © panandrii - stock.adobe.com

On December 5th, 2017 the Securities and Exchange Commission fined two fund managers for sharing confidential and proprietary information relating to investment analysis and actual investment decisions. Ratan Capital Management was found to have improperly received proprietary and confidential information from Brahman Capital, consisting of confidential analysis and investment determinations generated by Brahman. The information constituted the intellectual property of Brahman, designed to solely benefit Brahman’s fund and its investors. However, an employee at Brahman shared the information with a principal at Ratan Capital Management: his wife.

The SEC fined all parties involved—including the receiving fund, the disclosing fund and the two individuals—for an aggregate amount of approximately $900,000 in penalties and fines. The real damage here, however, will be reputational: the receiving fund, Ratan, was a high-profile, successful fund that was funded by the iconic Julian Robertson (Robertson pulled all his money from the firm in 2016 following a disastrous plunge from a bad wager). This is one Tiger Cub that will now run alone.

The lesson here is that fund managers must take note of their legal and fiduciary obligations to protect important data. Highlighting the misperception that cybersecurity and data protections involve only client information, the SEC has made clear that a fund’s “crown jewel data” must also be afforded the same protections. The essence of this position is that protection of trade secrets and proprietary information (i.e. a fund’s unique attributes and/or its competitive advantage) are part of the benefit of the bargain that each investor receives from investing in that fund, its investment strategy and its manager. Safeguarding all confidential data, proprietary information and other value to investors goes beyond gains and profits: a fund manager’s unique investment analysis and decisions must similarly be protected.

So how is this a cybersecurity breakdown? Although a robust cybersecurity program may not have prevented the offending married couple from sharing secrets at the dining room table, what it would have done is required the funds to have identified, prioritized and catalogued all their critical data pools, such as client information, trading information, investment analysis, etc. The SEC requires fund managers to have a discernable cybersecurity program that contemplates—as an initial step—an exercise in identifying and prioritizing all its critical data. This includes not just client information (whether stored locally or placed with the fund’s administrator, attorneys or other service providers) but other confidential and proprietary information such as investment analysis, employee compensation, financial information and certain operational data. Additionally, once the entire universe of data has been identified and prioritized, technological and operational controls can easily be deployed to protect this information.

In this case, if the information was correctly stored, protected and monitored, the individuals secreting the information might have thought twice. More importantly, the disclosing fund may have been notified each time the data was accessed, printed or transferred away. Identifying bad actors can be tricky, but the right safeguards can prevent security breaches (and hefty fines) before they happen. Lesson learned.

Preventing breakdowns in data security takes careful planning; one misstep can cost hundreds of thousands of dollars. The first step in due diligence is an informed plan built with a trusted advisory partner. Align Cybersecurity provides over three decades of IT industry expertise with comprehensive knowledge of the evolving legal framework surrounding data protection. Don't wait until it's too late; make your plan today.

John Araneo is the Managing Director of Align Cybersecurity and also serves as the General Counsel of Align. John also remains a practicing attorney in the investment management space, has launched countless private investment vehicles and counsels his clients on the routine legal, operational and compliance matters facing private funds.

Having followed the regulatory initiative on cybersecurity in the investment management space since its inception, John is an established author, cybersecurity expert and well-known thought leader on the legal, regulatory and governance issues related to cybersecurity.

Continue Reading

Related Articles


“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC