Fund Managers Must Assess Whether Microsoft/CrowdStrike Outage Has Triggered Additional Regulatory Filings

A global technology outage linked to the cybersecurity firm CrowdStrike crashed Microsoft apps and triggered major disruptions across the asset management sector, along with other global industries.

Private fund managers affected by this outage should assess whether they have any regulatory notification obligations. For example:

• Section 5.G of Form PF requires large ($1.5 billion AUM) hedge fund managers to file a report following any significant disruption or degradation of operations necessary for (i) investment, trading, valuation, reporting and risk management functions; or (ii) the operation of a reporting fund in accordance with federal securities laws and regulations. Note that events at a service provider are expressly in scope. That report must be filed “as soon as practicable, but no later than 72 hours” after the occurrence of the event (and note that there is no tolling for weekends or holidays).
• The National Futures Association requires its members to notify NFA of a cybersecurity incident (i) that results in any loss of customer or counterparty funds or the Member’s own capital; or (ii) that requires the Member to notify customers or counterparties under state or federal law.

Fund managers should also consider whether affiliate registrations with other regulators and SROs (including non-US entities) require a notification. Side letter and similar obligations may also require notifications.

If you need assistance or have questions regarding this alert, please contact your Akin relationship attorney or one of the authors.