Cybersecurity

Subscribe to Cybersecurity via RSS

Privacy and cybersecurity issues continue to garner significant attention in the U.S. and abroad. As private investment funds registered with the SEC and their portfolio companies see increased regulatory scrutiny relating to privacy and cybersecurity in the U.S., Proskauer’s Margaret Dale, Todd Ohlms, Jonathan Weiss, Kelly McMullon and Hena Vora

In 2020, we saw an increased regulatory focus on cybersecurity. Though former SEC Chairman Clayton largely took the view that existing statutes and regulations were sufficient, the Division of Examinations increased exam activities in the space while agencies like FinCEN increased enforcement against violators. We can expect to see a continued focus on cybersecurity going forward as a persistent long-term trend, but it is unclear whether it will remain among the top priorities of the SEC this year. As discussed in Risk #1, we believe that the Chairman, Gary Gensler, will take a more active approach generally and, as part of that, we expect a heightened focus on cybersecurity. Sponsors are a theoretically high value target for attack because even relatively small sponsors often control billions of dollars (whether directly or indirectly) and have highly confidential information concerning their investors and partners. It is important that sponsors’ commitment to, and investment in, cybersecurity systems, policies, and procedures is commensurate with their risks and profile in fact.

The regulatory and litigation risks for private funds are greater than at any time since the financial crisis in 2008. Just a few examples prove the point: the pandemic (which caused extraordinary volatility in revenues and valuations for most asset categories); a new administration in Washington D.C. (with a more

Proskauer’s Private Investment Funds Group released its 2020 Annual Review. The yearly report provides a summary of some of the significant changes and developments that occurred in the past year in the private equity and hedge fund spaces, as well as certain recommended practices that investment advisers should consider

As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product helps organizations manage their networks, servers and networked devices. The product is not only used by government agencies, but is widely used in both the

Ransomware is a Serious and Growing Problem

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to pay ransoms.  Ransomware does not just target businesses – it is often used to attack hospitals, research institutions, and other public services that are especially critical during this global pandemic.

It is increasingly common for Ransomware attacks to be associated with large sophisticated cyber-criminal organizations, with a central entity providing the tools, training, and ability to collect ransoms and sending its “associates” out to cause harm. As long as victims continue to pay ransoms, Ransomware is able to expand. Ransomware is also being adapted for new, criminal purposes.  Increasingly, hackers associated with countries like Iran and North Korea are using Ransomware to generate an influx of cash into their economic streams and bypass economic sanctions. Faced with an urgent need to stop the spread of Ransomware, law enforcement is now moving past its old strategy of strongly discouraging victims from paying ransoms. Regulatory agencies – such as OFAC and the SEC – are implementing regulations to prevent victims from paying ransom to buy their way out of a Ransomware attack.  These regulations arm law enforcement with a new enforcement mechanism – allowing them to punish companies who choose to pay ransom in the face of a Ransomware attack. Accordingly, they signal a new area of regulatory enforcement that will likely become the government’s most powerful tool to curb the spread of Ransomware.

On October 7th, 2020, the Securities and Exchange Commission (SEC) announced the rescheduled date of its 2020 national compliance outreach seminar for investment companies and investment advisers.  This program is intended to help Chief Compliance Officers and other senior personnel at investment companies and investment advisory firms enhance their compliance programs.  The SEC’s Office of Compliance Inspections and Examinations (OCIE), Division of Investment Management (IM), and the Asset Management Unit (AMU) of the Division of Enforcement jointly sponsor the compliance outreach program.  The national seminar will be held virtually on the afternoon of Thursday, November 19th, 2020 via a live webcast from the SEC’s Washington, D.C., headquarters from noon until 4:50 p.m. EST.

A cyber breach can have serious legal, financial, and reputational consequences for a fund sponsor, as described in our previous post. As such, cybersecurity threats must be treated as business risks, not just a potential IT problem. Senior management at fund sponsors should take the lead to ensure that the sponsor is taking appropriate actions to protect itself against cyber risks. There are several steps that senior management can guide the fund sponsor to take to prevent breaches from occurring and to mitigate the impact when they do occur.

With 46% of UK business reporting a cyber attack during 2019/2020 and 32% reporting at least one a week – see the UK Government’s Cyber Security Breaches Survey 2020 – the UK’s Financial Conduct Authority (“FCA”) has issued a timely warning to market participants of increasing cyber security threats in the wake of COVID-19.

With more people working remotely than ever before in light of COVID-19, firms in the private equity and hedge fund space should review their Regulation S-P privacy and information-safeguarding policies to ensure they are compliant and ready for a prolonged period of remote work. In particular, in view of SEC guidance, firms should focus on several key areas including personal devices and personally identifiable information.