SEC OCIE To Launch Cybersecurity Initiative Focused on M&A
Last week, I attended the 2019 Mutual Fund and Investment Management Conference which is sponsored by the Investment Company Institute (ICI) and the Federal Bar Association. The annual conference provides updates on current securities, tax, and regulatory developments that affect investment companies and investment advisers.
This year, the keynote presentation featured Kristin Snyder, deputy director of the SEC's Office of Compliance Inspections and Examinations (OCIE). Below are my observations from the session.
The OCIE reiterated their focus on M&A as part of their 2019 examination priorities (see our SEC cyber compliance blog for additional information).
Snyder discussed how the OCIE will undertake a new cybersecurity initiative focused on firms involved in mergers and acquisitions and the need for these firms to coordinate and consolidate their cybersecurity efforts. As Snyder explained during her presentation, problems arise and are exacerbated when firms each have their own cybersecurity systems in place prior to a merger. Combining the systems may result in areas that are overlooked, software that conflicts, or unforeseen security blind spots, resulting in increased vulnerabilities.
Integration of complicated and potentially ill-fitting technologies can be a lengthy, risky, and expensive project. At the same time, it presents an opportunity to take a fresh look at alternatives, including the potential replacement of legacy or “home grown” technologies.
In all cases, the OCIE’s focus in this area is well-placed. This needs to be a serious effort by merging companies. It can take many months to perform the evaluation, examine market alternatives, then select and finally implement a well thought through system, whether it’s an integration of existing systems or a replacement.
At this point, the seriousness of focus, per the OCIE, is not meant to be punitive. They are not looking to penalize (except in egregious cases), but rather to highlight and support better cybersecurity efforts.
Reassuring as this may be, this cybersecurity initiative indicates the need for involvement of fund directors. Any SEC examination of the cybersecurity aspects of an M&A transaction doubtlessly will involve the fund directors. Their cyber oversight role has been repeatedly highlighted by the SEC, and ultimately, they will be responsible for ongoing oversight. Their early engagement, continued education, and familiarity with the issues will be a critical component of the process.
The extent and implementation of the OCIE’s initiative with its focus on M&A cybersecurity is not clear at this point. But heightened awareness and increased attention, from information technology (IT) and information security (IS) teams at the merged companies, and especially from fund directors, is certainly warranted.
ACA Guidance
ACA recommends that firms involved in M&A activity take the following actions:
- Have IS and IT leaders from each firm in upcoming mergers meet to map out joint cybersecurity strategies, systems, and policies. Focus on areas of overlap, possibly overlooked issues, etc.
- Include incident response plans, business continuity plans, written information security plans, and related documentation in merger efforts, ensuring that updated documentation covers the regulatory and operational needs of each firm.
- Engage early with the fund boards and follow a program of continued and active board education and governance.
- Keep a look out for further information and detail on this topic from the SEC, from ACA, and from other reliable sources.
Board Oversight of Cybersecurity Report
In this white paper, ACA Compliance Group’s James Pappas and ACA Aponix’s Askari Foy offer guidance, tools, and a suggested framework for cybersecurity oversight by a board.
How ACA Can Help
ACA offers the following solutions that can help your firm meet SEC cybersecurity requirements, as well as reduce cybersecurity risk related to M&A activity:
- M&A diligence services
- Board of Directors services
- Portfolio company IT and cyber risk reviews
- Mock regulatory cyber exams
If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.
About the Author
James P. Pappas is a Managing Director responsible for ACA’s board services practice which assists boards exercise oversight and business judgement. Jim has had senior roles in the investment industry and has served as a director of a mutual fund family and as a trustee of a public university foundation since 1998, currently serving as Chair of its Governance and Audit Committee.
Jim began his career as a corporate lawyer at Shearman & Sterling. He holds a JD, with honors, from Syracuse Law School and a BA, with honors, from the University of Massachusetts, Amherst.