Investment Management

Posted on Tuesday, August 22 2017 at 2:05 pm by

Adviser Settles with SEC over Insider Trading Controls for Political Intelligence Firms

By Paul Foley and John I. Sanders

Yesterday, the SEC announced a settlement under which Deerfield Management Company L.P. (“Deerfield”), a hedge fund adviser, agreed to pay more than $4.6 million.[i]  The SEC charged Deerfield with failing to “establish, maintain and enforce policies and procedures reasonably designed to prevent the illegal use of inside information”[ii] as required by Section 204A of the Investment Advisers Act of 1940 (the “Advisers Act”).[iii]

The SEC cited Deerfield for failing to tailor its policies and procedures “to address the specific risks presented by its business.”[iv]  In particular, Deerfield’s reliance on third-party political intelligence firms to provide insight into upcoming legislative and regulatory action created the risk that Deerfield would receive and illegally trade on inside information (e.g., a regulator’s unannounced decision to finalize a rule that would materially affect certain industries and publicly traded companies).[v]

The SEC’s settlement with Deerfield serves as a warning for advisers utilizing investment strategies dependent on obtaining or correctly predicting non-public information (e.g., unannounced mergers and acquisitions or the governmental approval of a pharmaceutical product), particularly those advisers partnering with third party consultants and analysts.  Such advisers should consider whether their current policies and procedures address the specific risks likely to arise under such strategies and partnerships.

Please contact us if you have any questions about the SEC’s recent settlement with Deerfield or an adviser’s obligations under the Advisers Act generally.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[i] SEC, Hedge Fund Adviser Charged for Inadequate Controls to Prevent Insider Trading (Aug. 21, 2017), available at https://www.sec.gov/news/press-release/2017-146 (hereinafter SEC Release).

[ii] Id.

[iii] 15 USC 80b-4a (2017).

[iv] SEC Release, supra note 1.

[v] Id.

Posted on Wednesday, July 26 2017 at 8:58 am by

Six Ways to Improve Cybersecurity Policies and Procedures

By Paul Foley and John I. Sanders

The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1]  While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2]  This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity.  Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]

1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4]  Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.

2.  Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5]  Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.

3.  Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6]  When an investor does use a public computer, the SEC recommends investors take the following precautions:  disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7]  Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.

4.  Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8]  Many financial institutions have a secure website already, but those that do not may want to consider implementing one.

5.  Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9]  In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances.  Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.

6.  Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10]  In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions.  Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).

Please contact us if you have any questions about this article or the SEC’s cybersecurity guidance.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;  SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.

[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).

[3] SEC, Updated Investor Bulletin:  Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.