Recent enforcement actions highlight the increased regulatory scrutiny that private funds may face with respect to internal cybersecurity protocols and responses to cyber-crimes and cyber incidents under new and updated cybersecurity laws.
Investment Company Act of 1940
Increased Regulatory Focus on Privacy and Cybersecurity for Private Funds in 2022
2021 continued the trend of increased regulatory focus on privacy and cybersecurity for private investment funds in the U.S. and abroad. There are no signs of the trend leveling off any time soon.
One of the topics that captured our attention last year was the rise of ransomware. As previously shared, ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks penetrating data systems and debilitating entities. Thus, while money continues to be an obvious motivator for these attacks, increasingly so is the pursuit of intellectual property and data. Regulatory agencies have responded to combat the increase in attacks. For example, in October 2020, OFAC issued an Advisory declaring that any payment made to a sanctioned entity on OFAC’s list would be a violation of federal sanctions regulations and the paying entity would be strictly liable. Importantly, this means that the intent of the victim, and the knowledge as to whether the entity is on OFAC’s list, is no defense. While OFAC intends to decrease ransomware attack compliance through the issuance of its list of sanctioned entities, the nature of ransomware makes it difficult for the victim of an attack to be able to identify what entity is actually being paid. This ambiguity may cause victims of ransomware attacks to unintentionally violate OFAC’s sanctions and be held strictly liable despite the publication of a list of sanctioned entities.