Recent enforcement actions highlight the increased regulatory scrutiny that private funds may face with respect to internal cybersecurity protocols and responses to cyber-crimes and cyber incidents under new and updated cybersecurity laws.
A cyber breach can have serious legal, financial, and reputational consequences for a fund sponsor, as described in our previous post. As such, cybersecurity threats must be treated as business risks, not just a potential IT problem. Senior management at fund sponsors should take the lead to ensure that the sponsor is taking appropriate actions to protect itself against cyber risks. There are several steps that senior management can guide the fund sponsor to take to prevent breaches from occurring and to mitigate the impact when they do occur.
With 46% of UK business reporting a cyber attack during 2019/2020 and 32% reporting at least one a week – see the UK Government’s Cyber Security Breaches Survey 2020 – the UK’s Financial Conduct Authority (“FCA”) has issued a timely warning to market participants of increasing cyber security threats in the wake of COVID-19.
Cybersecurity breaches and threats are pervasive concerns for any entity storing valuable data or managing large sums of money: private investment funds are no exception. Recently three private equity firms suffered breaches that compromised their email accounts and wire transfers, resulting in $1.3 million in losses. We have seen the SEC follow through on its 2019 priority of examining investment advisers about their cyber-security measures, as well as inquiring if they have suffered from a cyber-security breach. We expect that trend to continue. Fund sponsors should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity. Fortunately, there are precautionary measures that fund sponsors can implement to help prevent a breach and to mitigate the scope and damage from a breach if one were to occur. We will elaborate on both the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.
COVID-19 has created many new concerns for private fund managers; however, managers should be particularly mindful of heightened cybersecurity and fraud risks. With increased numbers of employees teleworking, there are increased vulnerabilities for cybercriminal intrusions creating privacy-related risks for fund portfolio information, LP confidential data, and other sensitive electronically-stored materials.