Return to search

SEC zeroing in on firms’ cyber-risk practices during exam process

The regulator is taking a closer look into firms' cyber-risk management programs as part of the examination process.

The Securities and Exchange Commission is taking a closer look at cybersecurity during its examinations of private equity firms, and firms are conducting their own mock exams in preparation, some consultants say.

The agency has been pushing this focus over past six to 12 months in light of incidents that include phishing and fraudulent wire transfers, a consultant said, noting that several private equity clients have commented on the SEC’s asking about cyber-risk management.

“There are themes and topics that they are focused on, so you want to make sure that you’re prepared for those types of questions,” that consultant said at the 2018 Private Fund Finance and Compliance Forum in San Francisco last week. “In general, phishing attacks are all over the place, wire transfer frauds are all over the place. We get calls from PE firms that are dealing with it themselves or their portfolio companies are, so be prepared when the SEC gets wind of this. They’ll be knocking sooner or later.”

Two questions that his clients saw on an SEC exam following a breach concerned how the firms ensured that their investors weren’t hurt by an incident, and whether there were any breaches at their portfolio companies.

“That was a for-cause type of situation… but I do hear that they are asking general questions,” the consultant said.

Several speakers at the conference said that it is rare to see cyber-risk questions in exams unless the company concerned has experienced a breach.

“The minute you have a breach, then [the SEC] will come down on you. That’s why it’s so critical to be prepared on the cyber side,” one advisor said.

The SEC is also trying to push private equity firms to think about cyber-risk management for their portfolio companies, and consultants say that firms should have a plan to follow in immediate response to an incident. The agency wants private equity firms to vet targeted portfolio companies so that a cyber-risk program is in place to ensure that those companies’ information will be protected.

“One thing we’re seeing the SEC focus more on are your procedures and your controls that you implement with mergers and acquisitions,” the consultant said. “There’s consolidation going on and you’re picking up other partners. [The SEC] is very focused on how you’re ensuring that before there is any integration between the systems that you actually vetted that partner, that new acquisition.”

The SEC is also looking at firms’ social media use. In the past six to 12 months the agency has been focusing on firms’ compliance policies when using of alternative forms of communication, such as WhatsApp, Snapchat and other social media, in order to ensure that confidential information and private information doesn’t become public.

“You have deal teams that are communicating and are oftentimes using something like that,” a private equity executive said at the conference. “How is a compliance officer enforcing policies around this? What kind of oversight what policies do you have in place?”

Several speakers at the conference said that one approach that helps them in preparing for an SEC exam is by conducting mock examinations on their own to find out just how prepared they are.

“Having mock audits focused on cybersecurity is really critical,” one speaker said.