Cybersecurity: A global legal perspective
On Wednesday 22 April, the House of Representatives passed a new cybersecurity bill – the Protecting Cyber Networks Act (PCNA) – to allow file sharing between government intelligence agencies and private companies and raise the overall awareness of hacking.
This is just the latest chapter in what is fast becoming a key narrative within the US, where cybersecurity legislation is being rolled out to address the growing sophistication of cyber attacks.
Hedge funds are now becoming a more pronounced target and to that end, lawyers are requiring to get on top of the issues to advise their clients accordingly. Ed McNicholas is a partner at Sidney Austin LLP in Washington DC. He confirms that he has just finished a treatise for the Practicing Law Institute, the aim of which is to provide a legal guide on cybersecurity. It is due to be published in June.
“The law here is developing rapidly and one of the biggest things that hedge funds need to do is to ensure communication between their lawyers and their IT staff on this issue. The lawyers have, for a long time, considered it to be an IT issue but they need to get up to speed on this,” says McNicholas.
McNicholas sees three big tasks facing lawyers. The first relates to managing the information assets of a hedge fund. These are highly specialised vehicles and as such an intellectual step needs to be taken by law firms in realising that this is not an issue that pertains solely to personal data. Hedge funds have significant intellectual property – trading algorithms, investor details, proprietary research etc. In relation to cybersecurity, it is important to identify those assets and understand where and with whom the manager shares those assets.
“Smaller managers rely more on third party vendors and they tend not to do a great job of ensuring that when data is passed to a third party that they have adequate assurances of data security. There are several vendors within the hedge fund industry that are important across all hedge funds, which to a hacker represent giant honeypots of information.
“Up until now, the main protections have come from legal teams saying, ‘‘All we need to do is put a sentence in the contract that the transfer of information must be done in compliance with all applicable laws’. In this day and age, that strikes me as being quite a risky approach,” says McNicholas.
The second task is governance. That is, figuring out the policies and procedures and the executive oversight. Has there been a briefing to senior management on IT security and the risks that exist? Do they understand the reality of cybersecurity threats?
The third task is to prepare a breach response in advance of an attack taking place. It’s fair to say that a lot of hedge funds, particularly at the smaller end of the AUM spectrum, have done little to prepare for a breach. When it happens – be it nefarious in nature or not – the response is to get all the senior partners on the phone and react in an uncoordinated fashion, which as McNicholas points out, is not an optimal response to a rapidly evolving situation.
Lena Ng (pictured), Counsel at Clifford Chance Pte Ltd in Singapore says that whilst Asian fund managers are aware of the risks, there’s no sense of panic.
“They aren’t banging down the door seeking a review of their documentation in respect of cyber threats. There is a view held by some managers that no one is going to hack into their systems,” says Ng.
The Monetary Authority of Singapore (MAS) is certainly treating cybersecurity seriously. Indeed, the government has recently set up the Cyber Security Agency to combat the threat across multiple industries, not just finance.
“The regulator is well aware of the risks. The loss of customer data is top of its mind. Hedge funds, after all, are dependent on outsourcing so to address this, MAS is strengthening the requirements that financial institutions need to put in place in relation to using service providers.
“Singaporean fund managers have to be more focused not just from an outsourcing perspective, but in respect of protecting their own customers; i.e. avoiding any potential security breaches internally. The Personal Data Protection Act was introduced into Singapore last year, which imposes obligations on securing personal data. This is something that managers who have a number of individual investors should be aware of now,” explains Ng.
To help managers develop best practices in the fight against cyber crime, in January 2015 the UK’s financial regulator, the Financial Conduct Authority (FCA), published a set of guidelines named ‘Financial crime – a guide for firms’.
“The guide has a useful section on data security, which we point clients towards. It touches upon best practices and is tailored towards preventing fraud, identity theft, which are important aspects of cybersecurity,” notes Renzo Marchini, Special Counsel at Dechert.
At present, UK law in relation to data security takes the form of the Data Protection Act 1998. The office responsible for its enforcement is the Information Commissioner’s Office, which has the power to issue monetary penalties up to a maximum of GBP500,000. The FCA, on the other hand, is able to impose far more stringent penalties when a security breach and failure to protect sensitive data arises. For example, in 2013 the FCA fined EFG Private Bank Ltd GBP4.2 million for “failing to take reasonable care to establish and maintain effective anti-money laundering (AML) controls for high risk customers”.
This was not a cyber attack, but the fact is data protection and cyber security are closely linked. Establishing robust controls to protect data internally is just as important now as it is to guard against external threats.
“We’ve seen the larger funds ask us to engage in a process of information governance review – or cybersecurity risk management – whereby they are looking at their assets, identifying the risks to those assets and coming up with a legal risk mitigation response,” confirms McNicholas, who continues:
“The process of doing a cybersecurity review is vital, frankly. Funds have significant investors – mainly institutions who have entrusted large amounts of capital to them – and if there’s a cybersecurity incident that compromises the ability of the fund to perform its fiduciary duties with respect to that capital allocation there will be significant financial consequences.
“Hedge fund cybersecurity is not only about sending out privacy notices after a data breach and offering credit monitoring. It’s about making sure that the fund is fulfilling its duties with respect to its financial clients.”
Over at Dechert, Marchini points out that its hedge fund clients are often mostly concerned about protecting trade secrets, especially systematic funds that have a lot of intellectual property wrapped up in source code or trading models.
“It’s really an issue of protecting the assets. Legal recourse kicks in when someone has stolen trade secrets and the manager takes out an injunction because that person has breached their duties to the employer. That’s not strictly a cybersecurity issue but more a leakage of valuable data,” says Marchini. He adds that a separate but related issue is the protection of data about investors, and here the Data Protection Act will apply. This includes a requirement to train staff on data security and monitor them appropriately.
“Smaller hedge funds don’t always have policy documents addressing these issues but certainly many of our larger managers do; staff training, IT security policies, data protection policies and so on. We are educating compliance staff as to the legal responsibility of the manager to ensure that the proper internal controls are in place and, importantly, clearly communicated to everyone working within the hedge fund,” confirms Marchini.
Part of what makes hedge funds so unique is the fact that they share substantial amounts of fund-related information both externally to their service providers, as well as internally. These counterparties are the potential honeypots of information that McNicholas refers to at the top of the article.
As such, hedge funds can improve their cybersecurity profile by assessing the provider’s certifications, data security and de-construction policies, and number of successful penetration tests. In addition, many hedge funds are now strengthening their service level agreements to guard against one of their counterparties suffering a breach.
“One of my colleagues in Hong Kong has been advising a number of clients in this area,” confirms Ng. “If investors’ information were leaked, then the reputational risk to the manager would be fatal compared to any potential regulatory fine. I think hedge funds, because they have to rely so much on service providers, are potentially at a higher risk than other financial institutions with respect to losing proprietary information. Also, a lot of managers tend to use many of the same service providers so if a prime broker or custodian suffered a security breach, for example, it could become quite a significant issue.”
Having a robust SLA in place will at least help recover some loss but there’s a limit to how much that will mitigate against reputational risk. As Ng says: “It is helpful, but only to a certain extent.”
One interesting point that Ng raises is that in addition to regulatory pressure, which will likely continue, managers could start to see pressure coming from the very same counterparts they do business with, such as banks checking to see what security set-up they have to avoid a potential breach, not just vice versa. “I think we will see a wave of cybersecurity assessments in the industry, even if it doesn’t come from regulatory initiatives,” suggests Ng.
No business can look at what happened to Sony last December and think that it is immune to cybersecurity risk. McNicholas lays out what he calls three “very realistic” scenarios for hedge funds:
“First, there are funds that spend a lot of time looking at China and researching Chinese companies and to put it bluntly, if you’re researching China they are researching you. To think that they are not is a bit naïve,” says McNicholas.
Second, is the threat posed by hactivists. McNicholas refers to one hedge fund that held a number of investments with companies operating in the GM foods industry. As such, the hactivist considered them to be a supporter of these companies and was targeted, even though it was the underlying companies who were the main source of ire.
Third, there’s the insider threat, which is quite common within hedge funds. The risk that someone within the hedge fund decides they want to spin off and run their own fund will be greatly aided in this endeavour by taking investor and trading information. This insider threat is a very tangible one with respect to cybersecurity.
“Hedge funds are typically small groups of trusted individuals. If there is a dispute and one of the partners breaks away, there are frequently precious few controls in place to stop that person from taking data and using it on their own terms.
“That is a very tangible commercial threat to hedge funds,” says McNicholas who concludes by offering the following advice:
“Cybersecurity is more than just policies and procedures. It’s a legal risk management exercise. There has to be some ongoing monitoring and oversight of information and the assets as they move within the hedge fund so that if there is a significant attack the manager has a paper trail of governance and awareness of the breach.”