In 2020, we saw an increased regulatory focus on cybersecurity. Though former SEC Chairman Clayton largely took the view that existing statutes and regulations were sufficient, the Division of Examinations increased exam activities in the space while agencies like FinCEN increased enforcement against violators. We can expect to see a continued focus on cybersecurity going forward as a persistent long-term trend, but it is unclear whether it will remain among the top priorities of the SEC this year. As discussed in Risk #1, we believe that the Chairman, Gary Gensler, will take a more active approach generally and, as part of that, we expect a heightened focus on cybersecurity. Sponsors are a theoretically high value target for attack because even relatively small sponsors often control billions of dollars (whether directly or indirectly) and have highly confidential information concerning their investors and partners. It is important that sponsors’ commitment to, and investment in, cybersecurity systems, policies, and procedures is commensurate with their risks and profile in fact.
Private Equity and Cybersecurity: Threats, Consequences, and the Regulatory Framework
Cybersecurity breaches and threats are pervasive concerns for any entity storing valuable data or managing large sums of money: private investment funds are no exception. Recently three private equity firms suffered breaches that compromised their email accounts and wire transfers, resulting in $1.3 million in losses. We have seen the SEC follow through on its 2019 priority of examining investment advisers about their cyber-security measures, as well as inquiring if they have suffered from a cyber-security breach. We expect that trend to continue. Fund sponsors should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity. Fortunately, there are precautionary measures that fund sponsors can implement to help prevent a breach and to mitigate the scope and damage from a breach if one were to occur. We will elaborate on both the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.