Private fund managers should keep a close eye on cybersecurity over the coming 12 months, with new rules potentially entering into force at a state, national, and international level, according to industry experts.
Nationally, proposed Securities and Exchange Commission rules that require registered investment advisors to adopt and implement written business continuity and transition plans – which would be implemented in the event of a cyber-attack – remain outstanding.
“I’d be surprised if there are any new cybersecurity rules [coming out of the SEC], but there could be a follow up to the business continuity rules,” Norm Champ, partner at Kirkland & Ellis told delegates at the IA Watch Cybersecurity for Financial Services event in New York on Monday.
The agency is currently focused on protection of customer data, he added, but it's not inconceivable that it could expand it to other areas of concern.
“If you have limited resources, invest them in protecting customer data first,” Champ said.
SEC examinations are also expected to continue apace, despite changes at the top of the organisation.
“Some senior people have left the Securities and Exchange Commission, but the people running the Office of Compliance Inspections and Examinations won't change. There might be a change of focus, but the number of cases is unlikely to fall,” Todd Cipperman, managing principal at Cipperman Compliance Services, told pfm.
New York-based asset managers should also be aware of incoming state-level legislation, which is on track to enter into force on March 1.
“It's application to investment advisers is still unclear – the description of covered entity is not explicit – but it seems likely it will [apply to advisors],” said Lisa Toth, global head of regulation and risk at Hatstand.
The rules, which were initially due to come into force in January, were edited in response to criticism received in the original consultation in September.
“Whether other states pick up on the regulation and issue their own is a possibility,” Toth said.
Internationally the European General Data Protection Regulation comes into force in January 2018, and covers any global firm that has clients in Europe; any firm that suffers a cyber-attack exposing data relating to clients in Europe faces a fine equal to 4 percent of its global annual revenue.
“This will impact some of the largest players in the US which engage in cross-border ventures,” Cipperman said. ?