The alternative investment industry is always innovating to help broker-dealers, transfer agents, investment companies, and Registered Investment Advisors keep up with important regulatory changes. The US Securities and Exchange Commissions (SEC) recently announced enhancements to Regulation S-P, another layer of ongoing regulatory changes impacting how financial institutions handle customer data. To navigate the complexities, Align has gathered a group of esteemed industry experts to react to these enhancements to Regulation S-P.
Together we will explore its impact on our industry from various viewpoints – the challenges and opportunities it presents and even explore Regulation S-P’s potential long-term implications.
We invite you to read Align Insights Article: Industry Leaders Discuss Final Rules – Enhancements to Regulation S-P.
This shift highlights the authorities’ growing recognition of the critical importance of timely communication and transparency in maintaining trust and mitigating the impact of potential data breaches. By holding companies to higher standards of accountability and preparedness, these amendments aim to enhance the overall resilience of the financial sector against cyber threats.
From the practical point, the adopted amendments will require broker-dealers, investment advisers, and investment companies to:
Furthermore, the new requirements are not just another set of rules to follow but a supportive measure that aligns well with the broader trend of different regulatory bodies to focus on proactive risk management and governance. The emphasis on regular assessments and updates to security measures ensures that financial institutions are continuously adapting to the latest threats and vulnerabilities. This proactive stance is crucial in an environment where cyber threats constantly evolve and become more sophisticated.
These amendments represent a significant step forward in fortifying the cybersecurity posture of financial institutions. They underscore the importance of robust incident response strategies and highlight the necessity for ongoing vigilance and adaptability in the face of emerging cyber risks.
While a similar rule was proposed for private fund advisers, a final rule has not yet been adopted. Perhaps tired of industry pushback against “new rules” , the SEC recently issued amendments to Regulation S-P (“Reg S-P”), broadening its scope for covered entities (which includes alternative investment advisers, whether or not registered with the SEC).The amended rules require notification to individuals whose “sensitive” customer information was accessed without authorization, “unless” it is not “reasonably likely” to be used in a manner resulting in “substantial harm or inconvenience”. The amended rules also extend to service provider data security breaches involving sensitive client information, expanding a manager’s oversight responsibilities.
Beyond written policies and procedures, vulnerability assessments, etc. this expanded scope of Reg S-P pushes governance to the forefront. Managers should proactively be engaging in conversations with independent directors, counsel, and service providers having relevant expertise, as well as top tier insurance carriers offering transcripted cyber-coverage. With such subjective criteria, managers’ ability to make timely decisions around required investor and regulatory disclosures becomes paramount. Decisions made prior to completion of forensic examinations will be reviewed by regulators, with the benefit of hindsight.
Fund managers understand the need to protect consumers' nonpublic personal information, however, they express concerns about the increased costs and operational burdens associated with the enhancements to Regulation S-P. I can’t think of one client who doesn’t support a commitment to strong data security and investor privacy. With increasingly frequent and complex attacks targeting financial services firms, and per Regulation S-P, fund managers must develop written policies and procedures to protect investor information and create a comprehensive plan to manage data breaches. We are encouraging our clients to discuss the implementation of Regulation S-P with our Cybersecurity, Technology Risk, and Privacy team or their relevant service providers.
The SEC’s inclusion of service provider due diligence requirements in the amendments is another sign of their continued interest in service provider due diligence and an indication that we should expect strong requirements around service provider management in the finalized versions of the proposed cybersecurity rule and the proposed outsourcing rule. Service provider due diligence expectations are not only here to stay, but they are only going to get more stringent.
On the technical side, we anticipate increased adoption of data discovery, file permissions and access auditing tools. Restricting sensitive data access to necessary employees limits potential exposure and robust audit logs are critical in preventing over disclosure in an environment where the SEC squarely puts the burden of proof on the Adviser
The headline news is that RIAs, BDs, and mutual funds must immediately (i.e. within 30 days) notify affected customers if a breach occurs. Notice must be provided in a manner reasonably expected to be received (e.g. email or snail mail if required). The Rule details the content requirements including information about the breach, who to contact, and what to do. This new federal notification requirement supplements already-existing state-by-state notification requirements.
This new federal notification requirement sounds good, but what does it really accomplish? RIAs, BDs and funds have been sending breach notices to customers for years, as required by many state laws. Consumers already have alert fatigue. Most firms already want to avoid data breaches for many reasons including asset protection, data integrity, reputation, and the state notice requirements. Will this new notice requirement wake up some subset of firms who have weak data protection and will now be scared into better behavior because of a federal notification requirement? Maybe.
I don’t think this revised Regulation S-P will fundamentally change how diligently firms will act to protect personal financial information. I don’t think it will change the behavior of customers receiving the notices. However, it does add work for the compliance officers charged with implementing the new rule. It also gives the SEC another rule to use during exams and enforcement cases.
For the most part, broker-dealers, investment companies and RIAs are aware that knowing where their data is, who has access to it and that they have the ability to report on it post-breach is a basic and fundamental component of SEC compliance. What's different with these amendments are implications to firms who may not have best practices in place to support those functions. When it comes to preventing and responding to breach events, knowing where data resides and who has access to it is essential, but limiting access on a continuous basis is critical best practice. Doing so allows firms to quickly understand threats and liabilities based on who potentially had access to vulnerable data and where it is (or was) within network systems or software.
Factors that affect data (like software and configuration vulnerabilities) will become a focal point moving forward as those factors greatly impact organizational risk. For firms, having the ability to discover an organization's assets and the data they contain on an ongoing basis will support regulatory readiness, especially as new and potential resource-intensive amendments continue to roll out.
This won’t be a one-time effort either. Every vendor relationship will need careful scrutiny and every vendor contract involving the processing of data will require detailed legal review. Moreover, every data incident will require legal and compliance review.
In our experience, the S-P amendments merely codify best practices. S&K has seen a dramatic increase in the number of cyber incidents in financial services over the past 12 months, particularly in the investment management industry. While the implementation costs may seem somewhat onerous, complying with the S-P amendments may reduce the chances of a catastrophic data incident. Moreover, vendors often push back against financial institutions inserting data protection contractual provisions; the new rules will give financial institutions firmer grounding to push for important protections in vendor agreements. Finally, the new rules may eliminate the need for painstaking 50-state reviews of data breach notification laws in the event of a breach, thus potentially reducing the costs associated with responding to a data incident.
As fund managers navigate and adopt these new amendments, they must prioritize more than just written policies, procedures, and vulnerability assessments. The expanded scope of Reg S-P underscores the importance of selecting the right service providers from the outset and establishing robust governance.
Given the current cybersecurity threat landscape alongside new regulatory demands and operational due diligence, we encourage stakeholders to stay prepared and embrace a proactive approach. Effective planning is as crucial, if not more so, than any robust response.
Practically speaking, focus on the following:
The SEC's adoption of Regulation S-P, a set of privacy rules governing the management of nonpublic personal information, illuminates more than data governance. These rules highlight the need for integrated data management and incident response.
Incident response planning is not just about reacting to incidents, but about adopting a proactive 'when not if' philosophy. The rules, while not providing detailed incident response procedures, do set the ambitious goal of policies and procedures to detect, respond to, and recover from unauthorized access to or use of customer information. These rules also highlight the importance of identifying nonpublic (protected) information, determining if this data is improperly exposed, and swiftly reducing the risk associated with this exposure.
It reminds us that planning is equally (if not more) important than any vigorous response. Covered institutions should plan for incident response and test these capabilities through tabletops and mock scenarios. Moreover, these exercises allow fund managers and technical leaders to communicate under simulated stress, developing inter-team trust and communication and reminding managers that cybersecurity is not an IT problem to solve; rather, it’s a business risk to manage.
The long-awaited update to Regulation S-P by the Securities and Exchange Commission has been officially adopted. This update includes enhancements to the rules that govern how investment advisers, broker-dealers, and investment companies must safeguard customer financial information.
Every client we have encountered emphasizes the importance of robust data security and investor privacy. Given the rise in sophisticated cyberattacks against financial institutions and the requirements of Regulation S-P, fund managers must formulate detailed protocols to safeguard investor data and devise a holistic strategy for handling data breaches. Foundational technology controls coupled with strong governance have become an essential requirement for this industry. Firms must prioritize how their service providers can implement controls with the new requirements around Regulation S-P with Cybersecurity, Technology Risk, and Privacy team or their appropriate service providers.
|
Alex Bazay brings over 20+ years of experience in the information technology industry and expertise in cybersecurity, IT, compliance, business continuity, and disaster recovery to his role as Chief Information Security Officer. Alex brings tremendous technological leadership and security expertise to the company. Before joining Align, Alex was Chief Technology Officer and Chief Information Security Officer at Gruss Capital Management, a boutique global financial company. He was responsible for all day-to-day operations and strategic planning relating to information technology, business continuity, and cybersecurity. Before that, Alex held various consulting positions during which he advised clients in cybersecurity defense, operational strategies/executions, and overall IT strategies/executions. Alex currently serves as a Board Member of the ISACA NY Metro Chapter, Governing Body Member of the Evanta NYC Executive CIO Community, and a Member of the Vation Ventures New York Innovation Advisory Council. He also sits on numerous other advisory boards and holds several industry certifications, including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Chief Information Security Officer (C|CISO), Certified Data Privacy Solutions Engineer (CDPSE). |
Wendy serves as an independent director with Azimuth. Prior to joining Azimuth, Wendy was Managing Director and head of Wells Fargo Prime Services’ Business Consulting Group, responsible for the development and management of the platform’s business consulting services. Prior to joining Wells Fargo Securities, Wendy was a consultant at Tiger Bay Advisors where she provided supplemental, interim, and on-going subject matter solutions to help hedge funds manage and operate key business functions. Before her work at Tiger Bay, Wendy held a number of key industry roles including a director in Credit Suisse’s Global Credit Products where she specialized in business development and sales and marketing of tailored leveraged facilities to alternative asset managers. Prior to Credit Suisse, Wendy worked in Salomon Smith Barney’s legal department. She also was a senior attorney in the SEC’s Enforcement Division, and has held legal roles in Furman Selz and Lehman Brothers. Wendy holds a B.A. in Communications from Northwestern University, a J.D. from Brooklyn Law School and a Masters of Law degree from the London School of Economics. Wendy holds 7, 53, and 63 licenses and was admitted to the bars of New York and New Jersey. |
|
Casey is a member of Seward & Kissel’s Financial Services Regulatory Group and Blockchain and Cryptocurrency Group in the Firm’s Washington, DC, office. As a financial attorney, Casey advises a wide range of financial services companies (including banks, broker-dealers, investment funds, service providers, and financial technology companies) on federal and state banking and securities law issues. Casey regularly provides legal aid to clients with respect to financial matters such as deposit issues, lending services, state and federal licensing and registration, anti-money laundering, custody, transfer, payments, and liquidity issues, and the Bank Holding Company Act. |
Jacob has over 25 years of experience providing cybersecurity and IT services. Jacob was the co-founder and CEO of |
|
Todd Cipperman, Managing Principal, Cipperman Analytics Todd Cipperman is the Managing Principal of Cipperman & Company and Cipperman Analytics, through which he provides regulatory advice and management consulting services to growth-minded investment managers and fund managers on strategic objectives, distribution strategies, financing options, board and corporate governance, and regulatory structures. He is an experienced financial services executive who founded, grew, and sold an industry-leading compliance services firm to a large, private equity backed consulting/technology firm. He has served as General Counsel of a public investment firm and worked in private legal practice on Wall Street representing both buy and sell side clients in investment management and capital markets transactions. He is a graduate of the University of Pennsylvania Law School and Cornell University. He is the author of the book The Compliance Advantage: Ten Must-Know Trends to Protect Your Investment Firm, which is available in hard copy and in digital format on Amazon. |
Ed Fasano has 25 years of experience as an investment adviser COO, CFO, CCO, Treasurer, and Head of Investor Relations. His role at EAC includes heading up the firms Pre-Launch and Treasury consulting services as well as leading EAC's global sales and marketing efforts. Prior to founding EAC, Mr. Fasano launched the advisory offering at Titan Regulation. Before Titan, Mr. Fasano launched SAYA Management LP, serving as COO, CFO and CCO; responsible for all finance and accounting matters in addition to compliance, investor relations and personnel matters. Before starting SAYA, Mr. Fasano was with Seawolf Capital, where he was responsible for the Firm's launch and later served as the Firm's COO, CFO and CCO. Prior to Seawolf, Mr. Fasano lead Treasury and Operations functions at FrontPoint Partners; and spearheaded portfolio finance for DKR Capital. Earlier in his career, Mr. Fasano held operational and finance roles at Tiger Management and Paloma Partners. Moreover, he had a key role in establishing and operating the stock loan finance broker-dealer at Citadel Investment Group and managing its relationships with stock loan counterparties.
|
|
James Mignacca, CEO, Cavelo As CEO of Cavelo, James helps businesses proactively reduce cybersecurity data risk and achieve compliance with automated data discovery, classification and reporting. Cavelo's cloud compatible data risk management platform continuously scans, identifies and classifies sensitive data across machines, servers and cloud applications, simplifying compliance reporting and risk remediation. |
Mark Sangster, author of No Safe Harbor: The Inside Truth about Cybercrime and How to Protect Your Business, is a go-to subject matter expert for leading publications and media outlets, including The Wall Street Journal and Forbes, covering major data breach events. His experience unites a strong technical aptitude and an intuitive understanding of regulatory agencies, shifts risk trends and influences thought leaders. |
|
With over 20 years of extensive experience in financial services and technology, Vinod Paul serves in the role of President, Align Managed Services. As President, Vinod is responsible for spearheading the strategic development of Align's Managed Services offerings, including overseeing Align Cybersecurity™, a comprehensive solution for cybersecurity risk management. Additionally, Vinod plays a pivotal role in nurturing senior client relationships within the alternative asset management community, offering ongoing guidance on industry best practices and emerging trends in Managed Services. Renowned as an influential figure in the financial services sector, Vinod previously held leadership positions at ECI, a prominent global provider of Managed IT Services. During his 13-year tenure as Managing Director, he led customer-facing engagements, focusing on service delivery and business development on a global scale. Under his guidance, ECI solidified its position as a premier Managed Service provider in the financial services realm, expanding its operations into Europe and Asia. Vinod has demonstrated his expertise through numerous placements in industry-relevant publications such as Forbes, Channel Futures, Hedgeweek, and Private Equity Wire. As an active speaker in the fields of managed services leadership, cybersecurity, financial services, and technology, Vinod has been recognized and celebrated for his contributions. |
Gary Berger is an audit partner at CohnReznick LLP and serves as the Northeast Financial Services Industry Leader. Based in the Firm’s New York office, he is extensively involved in the Firm’s Financial Services practice and has more than 30 years of experience serving domestic and offshore hedge funds, private equity funds, venture capital funds, and fund of funds. Gary provides advice on fund start up issues including organizational structure, economic and tax issues, seeding arrangements, and general business consultation. He serves as a relationship manager on numerous clients and is responsible for coordinating, managing and performing audit services of funds. Gary is a frequent speaker at financial services conferences and seminars. He has presented on numerous industry topics including, how to launch a hedge fund, valuation and fair value of investment portfolios, organizational and tax issues associated with investment partnerships, opportunity zones, and accounting and technical issues for investment partnerships. Prior to joining CohnReznick, Gary headed up the hedge fund practices nationally for KPMG and Rothstein Kass.
|
|
With over 17 years of expertise in designing and spearheading prosperous Managed Service practices, Chris Zadrima stands as a distinguished leader in constructing customer management teams and excelling as a subject matter expert in harnessing cloud-based solutions to address business and operational needs. Currently at Align, Chris assumes a comprehensive role overseeing the entirety of Align's Global Managed Services practice, which encompasses Client Support, Cloud Architecture and Strategy, Project Management, the Network Operations Center, and the IT Service Desk. In recognition of his outstanding contributions to steering growth and strategic direction within his current role, Chris has been honored by CRN, a division of The Channel Company, as one of the 2023 Next-Gen Solution Provider Leaders. This prestigious accolade underscores individuals who not only significantly impact their companies' trajectories but also exhibit the potential to emerge as future leaders in channel innovation. The accolade specifically acknowledges solution provider professionals aged 40 or younger who have played pivotal roles in shaping their company's strategic direction and fostering channel growth over the past year. Before joining Align, Chris played a key role in the leadership team at Infoaxis, a technology solution provider. During his nine-year tenure, he successfully developed a Managed Service offering that supported over 6000 endpoints. Chris's academic foundation includes a degree from Fordham University, where he graduated with a Bachelor of Science in Accounting with a concentration in Management Information Systems. His educational background, combined with his extensive industry experience, reflects his multifaceted proficiency in both business and technology domains. |
|