The SEC’s new and proposed rules on cybersecurity and cyber-incident reporting will have a dual impact on private investment advisers and funds. 

First, the proposal by the SEC will impose cybersecurity related obligations on investment advisers, registered investment companies and business development companies, with a final rule in this sector (the “adviser cybersecurity rule”) expected in April 2024. 

Recent enforcement actions highlight the increased regulatory scrutiny that private funds may face with respect to internal cybersecurity protocols and responses to cyber-crimes and cyber incidents under new and updated cybersecurity laws. 

On March 15, 2023 the U.S. Securities and Exchange Commission (“SEC”) released its proposal to amend Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, while simultaneously issuing two additional cybersecurity-related rule proposals[1] and re-opening the comment period for its previously-proposed cybersecurity risk management rule released in February 2022.[2] This set of sweeping reforms makes it clear, if not already, that the SEC is serious about implementing comprehensive cybersecurity and privacy standards across its regulated entity population—including investment advisers.   

Everything, everywhere, all at once is our risk thesis for 2023, but one must not forget about concentration risk.  This issue has rocketed up diligence agendas for LPs and GPs alike as the collapse of Silicon Valley Bank proved it really was the bank for venture capital.The entry of SVB into receivership on March 10, 2023 highlighted just how central it had become to U.S. venture capital, providing deposit and credit facilities not just to asset managers, but also to many (and in some cases the vast majority) of their portfolio companies and investors.  While deposit accounts were protected in full, companies unable to access those accounts for several days faced significant disruption.  Further, while borrowers were still bound by terms of credit agreements, there was no immediate obligation on the Federal Deposit Insurance Corporation (FDIC) as receiver to honor drawdown requests (although the bridge bank did announce it would honor credit facilities). Net asset value (NAV) lines, subscription lines and investors’ own deposit and credit lines were also affected. The deposits and loans of SVB were acquired from FDIC by First Citizens Bank on March 27, 2023.

Everything, everywhere, all at once, as a descriptor, captures the litigation and regulatory risks for the asset management industry in 2023. Every corner of the market faces greater risks than at any time since 2008. After years of breakneck growth fueled by low interest rates and a largely laissez faire regulatory regime, significant change is here.

2021 continued the trend of increased regulatory focus on privacy and cybersecurity for private investment funds in the U.S. and abroad. There are no signs of the trend leveling off any time soon.

One of the topics that captured our attention last year was the rise of ransomware. As previously shared, ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks penetrating data systems and debilitating entities.  Thus, while money continues to be an obvious motivator for these attacks, increasingly so is the pursuit of intellectual property and data.  Regulatory agencies have responded to combat the increase in attacks. For example, in October 2020, OFAC issued an Advisory declaring that any payment made to a sanctioned entity on OFAC’s list would be a violation of federal sanctions regulations and the paying entity would be strictly liable. Importantly, this means that the intent of the victim, and the knowledge as to whether the entity is on OFAC’s list, is no defense. While OFAC intends to decrease ransomware attack compliance through the issuance of its list of sanctioned entities, the nature of ransomware makes it difficult for the victim of an attack to be able to identify what entity is actually being paid.  This ambiguity may cause victims of ransomware attacks to unintentionally violate OFAC’s sanctions and be held strictly liable despite the publication of a list of sanctioned entities.

Last year, we wrote, “The regulatory and litigation risks for private funds are greater than at any time since the financial crisis in 2008.” That statement is even more true today. The Wall Street Journal recently published separate front-page stories on an SEC initiative to oversee large private companies and the explosive growth of the private credit industry (suggesting a more active phase of regulatory oversight). Growth itself is not necessarily a risk, but disputes – and regulators – tend to follow capital.

Private funds are now an integral part of the global economy and, as a consequence, are affected by it. Currently, there are massive structural changes occurring simultaneously across industries and the economy as a whole. For example: cryptocurrencies could threaten legacy payment systems and currencies; the electrification of the auto industry may lead to obsolescence of the internal combustion engine; and climate change will increase the ESG groundswell. These changes are not merely disruptive; they are transformative.

In 2020, we saw an increased regulatory focus on cybersecurity. Though former SEC Chairman Clayton largely took the view that existing statutes and regulations were sufficient, the Division of Examinations increased exam activities in the space while agencies like FinCEN increased enforcement against violators. We can expect to see a continued focus on cybersecurity going forward as a persistent long-term trend, but it is unclear whether it will remain among the top priorities of the SEC this year. As discussed in Risk #1, we believe that the Chairman, Gary Gensler, will take a more active approach generally and, as part of that, we expect a heightened focus on cybersecurity. Sponsors are a theoretically high value target for attack because even relatively small sponsors often control billions of dollars (whether directly or indirectly) and have highly confidential information concerning their investors and partners. It is important that sponsors’ commitment to, and investment in, cybersecurity systems, policies, and procedures is commensurate with their risks and profile in fact.

The regulatory and litigation risks for private funds are greater than at any time since the financial crisis in 2008. Just a few examples prove the point: the pandemic (which caused extraordinary volatility in revenues and valuations for most asset categories); a new administration in Washington D.C. (with a more

Proskauer’s Private Investment Funds Group released its 2020 Annual Review. The yearly report provides a summary of some of the significant changes and developments that occurred in the past year in the private equity and hedge fund spaces, as well as certain recommended practices that investment advisers should consider