2021 continued the trend of increased regulatory focus on privacy and cybersecurity for private investment funds in the U.S. and abroad. There are no signs of the trend leveling off any time soon.

One of the topics that captured our attention last year was the rise of ransomware. As previously shared, ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks penetrating data systems and debilitating entities.  Thus, while money continues to be an obvious motivator for these attacks, increasingly so is the pursuit of intellectual property and data.  Regulatory agencies have responded to combat the increase in attacks. For example, in October 2020, OFAC issued an Advisory declaring that any payment made to a sanctioned entity on OFAC’s list would be a violation of federal sanctions regulations and the paying entity would be strictly liable. Importantly, this means that the intent of the victim, and the knowledge as to whether the entity is on OFAC’s list, is no defense. While OFAC intends to decrease ransomware attack compliance through the issuance of its list of sanctioned entities, the nature of ransomware makes it difficult for the victim of an attack to be able to identify what entity is actually being paid.  This ambiguity may cause victims of ransomware attacks to unintentionally violate OFAC’s sanctions and be held strictly liable despite the publication of a list of sanctioned entities.

Sanctions continue to be a dynamic area of regulation and enforcement. In its first year, the Biden Administration has already undertaken a number of different sanctions initiatives. The three examples below highlight the range of strategies employed and their potential ramifications for private investment funds.

Privacy and cybersecurity issues continue to garner significant attention in the U.S. and abroad. As private investment funds registered with the SEC and their portfolio companies see increased regulatory scrutiny relating to privacy and cybersecurity in the U.S., Proskauer’s Margaret Dale, Todd Ohlms, Jonathan Weiss, Kelly McMullon and Hena Vora

Ransomware is a Serious and Growing Problem

In recent years, Ransomware has evolved from merely encrypting files/disabling networks in solicitation of ransom, to sophisticated attacks that often involve actual data access, theft and sometimes, the threat of publication. These sophisticated malware attacks frequently destroy backups and provide criminals even more leverage over their victims, coercing them to pay ransoms.  Ransomware does not just target businesses – it is often used to attack hospitals, research institutions, and other public services that are especially critical during this global pandemic.

It is increasingly common for Ransomware attacks to be associated with large sophisticated cyber-criminal organizations, with a central entity providing the tools, training, and ability to collect ransoms and sending its “associates” out to cause harm. As long as victims continue to pay ransoms, Ransomware is able to expand. Ransomware is also being adapted for new, criminal purposes.  Increasingly, hackers associated with countries like Iran and North Korea are using Ransomware to generate an influx of cash into their economic streams and bypass economic sanctions. Faced with an urgent need to stop the spread of Ransomware, law enforcement is now moving past its old strategy of strongly discouraging victims from paying ransoms. Regulatory agencies – such as OFAC and the SEC – are implementing regulations to prevent victims from paying ransom to buy their way out of a Ransomware attack.  These regulations arm law enforcement with a new enforcement mechanism – allowing them to punish companies who choose to pay ransom in the face of a Ransomware attack. Accordingly, they signal a new area of regulatory enforcement that will likely become the government’s most powerful tool to curb the spread of Ransomware.

A cyber breach can have serious legal, financial, and reputational consequences for a fund sponsor, as described in our previous post. As such, cybersecurity threats must be treated as business risks, not just a potential IT problem. Senior management at fund sponsors should take the lead to ensure that the sponsor is taking appropriate actions to protect itself against cyber risks. There are several steps that senior management can guide the fund sponsor to take to prevent breaches from occurring and to mitigate the impact when they do occur.

With 46% of UK business reporting a cyber attack during 2019/2020 and 32% reporting at least one a week – see the UK Government’s Cyber Security Breaches Survey 2020 – the UK’s Financial Conduct Authority (“FCA”) has issued a timely warning to market participants of increasing cyber security threats in the wake of COVID-19.

Cybersecurity breaches and threats are pervasive concerns for any entity storing valuable data or managing large sums of money: private investment funds are no exception.  Recently three private equity firms suffered breaches that compromised their email accounts and wire transfers, resulting in $1.3 million in losses.  We have seen the SEC follow through on its 2019 priority of examining investment advisers about their cyber-security measures, as well as inquiring if they have suffered from a cyber-security breachWe expect that trend to continueFund sponsors should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity.  Fortunately, there are precautionary measures that fund sponsors can implement to help prevent a breach and to mitigate the scope and damage from a breach if one were to occur. We will elaborate on both the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.