Hedge funds are sounding the alarm about cyber blunders by financial regulators as the funds get ready to hand over more details on their closely guarded investment strategies.
The Securities and Exchange Commission and the Commodity Futures Trading Commission last week adopted rules expanding what private fund advisers must confidentially report—such as details on their crypto investments and credit strategies, including litigation funding. Regulators said the additional data will help them monitor market risks and bolster oversight of the private fund industry, which has grown to managing about $26 trillion in gross assets.
Industry groups voiced concerns about the government’s ability to safeguard data on the so-called Form PF, warning the detailed information could provide a roadmap to funds’ confidential proprietary investment strategies. The SEC in particular is an attractive target for hackers and has a fraught cyber record—as illustrated last month when hackers gained access to the agency’s official X account.
“People will file the data but then keep fingers crossed that the SEC ups their game on the cyber side,” said Jennifer Wood, the global head of asset management regulation at the Alternative Investment Management Association.
The amendments are the latest in a series of changes to Form PF, which has been overhauled in recent months to address what regulators said were gaps in the information they receive from private fund advisers.
The SEC and CFTC brushed aside security concerns in the final rule, saying they have “robust data protection measures in place to protect all information filed on Form PF.” Republican commissioners who opposed the rules, set to take effect next year, said their agencies’ cyber practices are constantly challenged, and noted risks posed by staff members who see the confidential data and then take up industry jobs.
The SEC declined to comment beyond what’s in the rule release. The CFTC didn’t immediately respond to a request.
Granular Data
Adopted in 2011 as part of the Dodd-Frank Act, Form PF can be used by regulators in enforcement actions and to assess any systemic risks private funds may pose. Specific data included in the reports isn’t made public.
The new rules require large hedge funds—those with a net asset value of at least $500 million—to provide more detailed information about fund strategies, giving regulators more of a window into their operations. The agencies also expanded reporting requirements around funds’ investment exposures and financing arrangements, among other things.
Those critical of the changes, including various trade groups, questioned whether regulators need all the new information. Unauthorized disclosure of Form PF data could cause significant damage given the granularity of the details fund advisers must provide, industry groups warned.
The risks of a cyber incident “are magnified by the increasingly detailed information that the agencies would collect,” MFA, formerly known as Managed Funds Association, said in a 2022 comment letter on the proposal. The group’s head, Bryan Corbett, repeated the warning last week, saying the regulators’ “broad, undisciplined request for data will put sensitive proprietary investment strategies at risk.”
Another group, the Securities Industry and Financial Markets Association, has said the information could be used to recreate a fund’s investment strategy, potentially allowing for front-running.
Form PF data “would be very useful to someone who knew what they were looking for,” said Karl Egbert, a partner at Baker McKenzie and co-chair of the firm’s Global Investment Funds steering committee.
Cyber Breaches
The SEC has repeatedly come under fire for its lax cybersecurity defenses, a problem that has plagued agencies throughout the federal government.
Last month, the SEC’s official X account was hacked and a fake post said the agency had approved spot Bitcoin exchange-traded funds, sparking a brief trading spike. The commission granted the approval the next day.
Years earlier, the SEC’s system for public companies to submit filings, EDGAR, was hacked as part of a major breach the government later blamed on an Eastern European group.
Responding to questions from lawmakers about the social media breach, SEC chair Gary Gensler said in a letter this month “the SEC takes its cybersecurity obligations seriously.” But the SEC’s inspector general has repeatedly uncovered flaws in the commission’s cyber practices.
The agency wasn’t fully adhering to cybersecurity standards, including a requirement that public-facing systems support multifactor authentication, the SEC’s internal watchdog said in September. An independent evaluation the year before found the SEC didn’t consistently implement protocols that decrease the risk of unauthorized access to its information systems.
The CFTC’s internal watchdog has also raised cyber concerns at that agency, including with its migration to a cloud computing platform.
No Neuralyzers
Along with amending Form PF, the SEC and CFTC announced an agreement to share data from the form with each other. AIMA’s Wood said that “increases the possibilities of where the threat vectors can attach to the data.”
SEC Commissioner Mark Uyeda and CFTC Commissioner Caroline Pham, both Republicans, also raised security concerns.
“The increased sensitivity of Form PF data, combined with the continuing challenges to government agencies in securing their own databases and accounts, make it imprudent to expose the SEC-only Form PF data to the CFTC,” they said in a joint statement.
Even setting aside hacking concerns, government workers who come across the data can’t “unlearn” what they’ve seen when they leave for jobs in the private sector, which could include positions in the private funds industry, Uyeda said.
“Despite the vast resources of the Federal government, the neuralyzer remains a work of fiction,” he said in separate statement, referring to a memory-wiping device in the 1997 movie “Men in Black.”
SEC ‘Drill-down’
With last week’s changes, Form PF has been amended three times in the past 12 months—part of a broader push at the SEC under Gensler to increase transparency around the private fund industry.
“It really evidences and supports the SEC’s goal toward a drill-down and seeking out more granular information and reporting about private funds, especially their structuring,” said Christine Ayako Schleppegrell, a Morgan, Lewis & Bockius LLP partner and former head of the SEC’s private funds branch.
One of the biggest changes took effect in December, requiring hedge fund and private equity advisers to tell the SEC within 72 hours about extraordinary investment losses and certain other major events. The cumulative changes to Form PF will require a retooling of private fund reporting systems, trade groups say.
Some question whether the SEC’s changes justify the added compliance costs, while acknowledging the agency’s well-meaning intent to keep a closer eye on market risks.
“For me, the question is whether it’s ultimately worth the bang for the buck,” Egbert said.
