Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities. Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness. Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA). The program was moderated by Mark C. Amorosi, a partner at K&L Gates. The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki. This article, the first in a two-part series, details the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing. The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters. See “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions
,” Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).