Ackman SPAC Draws New Fire | Chief Investment Officer

Activist investor Bill Ackman launched a special purpose acquisition company in early 2021, just as the concept was waning in popularity. Poor timing for him.

Now, his SPAC, Pershing Square Tontine Holdings, is under legal assault: A lawsuit charges that the Ackman vehicle should be regulated under the 1940 Investment Company Act, which would require it to disclose more and refrain from making public statements ahead of a transaction that might influence the market.

The action in federal court, by former SEC Commissioner Robert Jackson and Yale Law School Professor John Morley, is part of a slew of such suits attempting to rein in SPACs. Ackman has responded that Jackson and Morley are misreading the law.

The suits cite the Securities and Exchange Commission’s new proposed rule that would require SPACs to divulge more information about their investors and possible conflicts of interest.

For more stories like this, sign up for the CIO Alert newsletter. 

The Ackman SPAC has had some trouble getting off the ground. Over the past year, it aimed to take a stake in Universal Music Group, as part of a spinoff from French conglomerate Vivendi. But the SEC axed that plan. It has been scrambling for another target, without much success.

Wilshire Advisors has said it was the target of a ransomware attack that took place March 4.

“Once we learned of the incident, we activated our Information Security Emergency Process and disconnected parts of our network to attempt to contain the attack,” a company spokesperson said in a statement. “We also deployed internal and external incident response teams and notified law enforcement.”

The spokesperson also said that the company is working to restore systems and will be providing updates to clients as appropriate.

Tim Rouse, executive director of the SPARK Institute, a nonprofit retirement industry trade association, says the attack is a reminder that fiduciaries need to make sure the service providers they use to maintain plan records and participant data follow strong cybersecurity practices.

Want the latest institutional investment industry news and insights? Sign up for CIO newsletters. 

“Clients want to know that the financial services firms that they’re working with have put in place proper security,” Rouse says.

Rouse’s organization recommends that its members follow 16 data security control objectives to determine a service provider’s overall data security capabilities, including risk assessment and treatment, security policy, physical and environmental security, and incident and event communications management. The objectives are described in detail in the SPARK Institute’s best practices guidance.

“These are the 16 critical areas that the plan sponsor wants to know to find out if they’ve done their due diligence,” Rouse says. “For each of those 16 categories, look at what controls are in place to test that category, how are those controls tested, and what the test results are.”

According to the Department of Labor’s Employee Benefits Security Administration’s tips for hiring firms with strong cybersecurity practices, it’s important to ask about a service provider’s information security standards, practices and policies, and audit results, and then compare them to the industry standards adopted by other financial institutions. The EBSA also suggests looking for service providers that follow a recognized standard for information security and ones that use a third-party auditor to review and validate cybersecurity.

Other EBSA tips include:

Ask the service provider how it validates its practices, and what levels of security standards it has met and implemented. Look for contract provisions that give you the right to review audit results demonstrating compliance with the standards.
Evaluate the service provider’s track record in the industry, including public information regarding information security incidents, other litigation, and legal proceedings related to the firm’s services.
Ask whether the service provider has experienced past security breaches, what happened, and how the service provider responded.
Find out if the service provider has any insurance policies that would cover losses caused by cybersecurity and identity theft breaches.
Make sure that any contract signed with a service provider requires ongoing compliance with cybersecurity and information security standards—and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.