Risk Update

Risk Potpourri — ILTA Security Survey, Client Conflicts in the PR World, SEC & Private Fund Conflicts Concerns, Big Four “Deep Seated” Conflicts Called

ILTA just published: “Security at Issue: State of Cybersecurity in Law Firms” —

  • Law firms store some of the most sensitive information available regarding material business transactions (e.g., mergers, acquisitions, and tax returns), civil/criminal prosecution, and personal transactions (e.g., divorces and wills), and lawyers have an ethical responsibility to protect this data. Due to fears of losing this sensitive information and pressing court dates that often cannot be moved without system access, law firms are highly motivated to succumb to an attacker’s demands when their files are encrypted by ransomware, or they are threatened with the public exposure of that data.”
  • “Toward the end of 2021, nearly a third of law firms surveyed reported a breach within the year; and 36% reported past malware infections, according to an American Bar Association report.”
  • “Only 15.5% of responding firms of all sizes believed they had some security gaps, or that their security needed significant improvement; the rest believed they were relatively to extremely secure. This, unfortunately, does not track with either our experience from our assessments (which always yield some significant risk factors), the previously mentioned study that showed a third of firms suffered breaches in a single calendar year, or security gaps  uncovered throughout the survey. We believe this is a definitional problem by what is meant by ‘secure’ and what achieving true defensibility looks like.”
  • “Nearly three-quarters of respondents believed they were more or much more secure than their industry peers. This obviously defies mathematical logic; while we can possibly hedge our results with the likelihood that those taking the survey were more confident in their security (and thus more willing to participate), we find this still unlikely. We think it more likely that we are seeing a definitional glitch in what ‘average’ looks like.”
  • “The data shows IT professionals fear their users’ behaviors more than they fear the threat actors themselves, and believe these behaviors are the greatest challenge to their security. They also believe users are the biggest impediment to improvement through their resistance to change and education.”
  • “When asked what the top three threats to security are in the firm, the top response at 39.4% (and 40% in the ILTA Technology Survey) was user behavior and lack of training to prevent this harmful behavior. User behavior/training arose as a greater concern than ransomware or any threat actor tactic that would exploit these key drivers of organizational productivity.”
  • “Users are viewed as the greatest impediment to change. In our survey, 59% said user inconvenience was the greatest roadblock to implementing more stringent security controls (with cost being the second greatest concern).”

DeSantis-linked PR shop ditches PGA Tour amid LIV Golf merger blowback” —

  • “The Ron DeSantis-connected PR shop Clout Public Affairs has dropped the PGA Tour as a client, after it announced its plans to merge with the Saudi-funded LIV Golf.”
  • “The firm had been working with both the PGA Tour and the families of 9/11 victims who had been agitating against LIV Golf for its Saudi ties. It was one of a number of public relations or lobbying shops that had cashed in on the high-profile feud between the storied PGA Tour and the controversial upstart LIV Golf.”
  • “Clout Public Affairs, which had become embroiled in the legal battle between LIV and its client PGA, had been subpoenaed by LIV and accused the golf league of trying to track the 9/11 families.”

A fascinating and detailed review and analysis by Ropes & Gray, for those interested: “The Securities Litigation Review: SEC Enforcement: A Practical Guide For Private Fund Managers” —

  • “All private fund advisers, whether with venture capital, private equity, hedge, debt, credit, real estate, hybrid, or other focus, must stay attuned to this attention on the private fund industry by the Securities and Exchange Commission (SEC) and, in particular, to the actions of its Division of Examinations (EXAMS) – formerly, the Office of Compliance Inspections and Examinations – and the Division of Enforcement (Enforcement).”
  • “With more than 5,500 registered investment advisers (totalling over 35 per cent of all registered investment advisers) managing 50,000 private funds, with gross assets said to exceed US$21 trillion, and with an active SEC Chair, private fund advisers can expect the years to come to be replete with rulemaking and enforcement focused on the private fund industry.”
  • “In this landscape, EXAMS likely will sharpen its focus on conflicts of interest the SEC believes are inherent in the private fund industry and which, the SEC believes, contribute to the perceived problematic issues discussed in the Private Fund Proposed Reforms. These include, for example, those related to portfolio valuation and resulting fee calculations, as well as conflicts related to liquidity. A resurgence of SEC enforcement against private fund advisers is likely to follow.”
  • “One of the common themes discussed in SEC guidance – and seen in examinations and enforcement matters – is the SEC suggestion that the private fund industry presents unique regulatory challenges and conflicts of interest because of its business model.”
  • “The SEC has long suggested that this model results in conflicts beyond those faced by typical investment advisers. Indeed, in a February 2015 speech, the SEC said that nearly all SEC enforcement matters involve examining whether an adviser has a conflict of interest and, if so, whether the adviser eliminated or disclosed that conflict.”
  • “According to the SEC, conflicts of interest include situations where there is a ‘facial incompatibility of interests, as well as any situation where an adviser’s interests might potentially incline the adviser to act in a way that places its interests above clients’ interests, intentionally or otherwise.'”
  • “Notably, under this model, the SEC has suggested that a conflict of interest does not require that an investor be harmed by the conflict, or that the adviser intended to cause harm to the investor. It only requires the possibility that an investment adviser’s interests could run counter to those of its investors.”
  • “In the SEC’s view, fund documents often contain insufficient disclosure on material terms, for example on fees and expenses, including relating to their allocation and affiliated fees and expenses; valuation procedures; and investment strategies and protocols for mitigating certain conflicts of interest, including investment and co-investment allocation.”
  • “Private fund advisers should be aware of significant areas of enforcement that have accelerated in the new administration, including undisclosed fees and expenses, misallocation of expenses, valuation of investments as that relates to calculation of fees, inadequate disclosure of financial conflicts, and conflicted relationships with third parties.”

And professors Ian Gow (University of Melbourne) and Stuart Kells (La Trobe Business School) opine: “The Big Four firms are incapable of unwinding their own deep-seated conflicts” —

  • “The Big Four – PricewaterhouseCoopers, EY, Deloitte, KPMG – are the global behemoths of the professional services industry. With nearly 1.5 million staff and US$190bn in annual revenue, they dominate markets for accounting, auditing and tax-related advice.”
  • “The recent high-profile crash of Project Everest – EY’s $600m attempted demerger – saw that firm’s angry partners demand more effective governance structures to protect their interests.”
  • “EY’s Everest was an attempt to separate auditing, which is about transparency and integrity, from services such as tax minimisation advice that are less about the public interest and more about private profit. The demerger would have addressed a fundamental conflict.”
  • “As the failure of EY’s Project Everest showed, the Big Four are probably incapable of unwinding their own deep-seated conflicts. Sooner or later, the task of imposing structural changes will fall to governments and regulators around the world.”
  • “By rejecting demergers on their own terms, the Four have effectively chosen uncontrolled and possibly chaotic break-ups on someone else’s terms and someone else’s clock. The Big Four can’t say they weren’t warned – the issues have been clear from calamities stretching back decades.”
  • “‘First in, first out,’ usually styled ‘Fifo,’ is a term familiar to all accountants; it relates inventory produced to inventory sold. The Big Four’s approach to strategy, risk management, and governance brings to mind a nearby acronym: Fafo, ‘f… around and find out.’ That is an uncomfortably apt description of the Big Four’s headlong drive towards profit through aimless diversification.”