Cyber Risk at Private Funds

Cyber Risk at Private Funds
An interview with private funds lawyer Ira Kustin and data privacy and cybersecurity attorney Sherrese Smith

Cyber Targets at Private Funds

When it comes to cyber threats at private funds, risks during a breach include:

  • Theft of funds

  • The theft of personal private information of investors, intellectual property, business strategy, or real assets

  • Business disruption

  • Legal liability and contractual implications for gross negligence

  • Reputational harm

Laws Regulating Cybersecurity at Private Funds

Private funds are governed by various state, federal, and international regulations, and these regulations often overlap with one another. Often, the most complicated problem for private funds is determining which regulations are applicable.

  • U.S. federal regulations include:

    • The Investment Advisers Act of 1940 (15 U.S.C. S 80b-1 through 15 U.S.C. S 80b-21), which requires that entities compensated for advising must register to the SEC and abide by regulations intended to protect investors, after defining what constitutes an adviser. The Act has been amended a number of times, most recently in 2019. 

    • Regulation S-P, which requires that broker-dealers, investment companies, and investment advisers adopt specific policies to protect customer records and information. 

    • Regulation S-ID, the Identity Theft Red Flag Rules, are SEC and CFTC jointly adopted rules that require certain regulated entities to have programs to address and prevent identity theft. 

    • The Gramm Leach Bliley Act (GLBA), which, in part, requires financial institutions to “explain their information sharing practices to their customers and to safeguard sensitive data.”

  • State laws of note include:

    • California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA)

      • The state laws offer some exceptions to their privacy and cybersecurity requirements. For example, in both California and Virginia, laws provide that private funds will be exempt to certain parts of the respective state laws where the GBLA applies. All data collected that is not exempt will be subject to state law. 

Foreign Cybersecurity Laws Applicable to Private Funds 

  • Application of other nation’s laws 

    • It is important that private funds understand their reach and how it affects which country's laws. Namely, the GDPR is the most prominent privacy law. If a fund has or is receiving information about EU constituents and customers, that fund is subject to the General Data Protection Regulation

  • Funds should be aware that when using Cayman vehicles, bringing in non-U.S. investors and bringing in tax-exempt U.S. investors, regulations for offshore funds like the Cayman Data Protection Law may apply.

The SEC and Cybersecurity for Private Funds

The U.S. Securities and Exchange Commission regulates securities markets and protects investors. Relevant to private funds, the SEC provides cybersecurity guidance and brings forth cybersecurity enforcement actions against such financial institutions. Although some rules are vague, examiners of registered advisers expect certain specific policies that are required for the overall obligation to have policies and procedures under the Advisers Act.

 Now, the SEC is focusing on cybersecurity and data protection in novel ways. Some areas of focus of the SEC can be clarified by. . .

  • . . . Looking at recent guidance by the SEC. For example, Rule 206(4)-7 in part requires registered advisers to establish policies and procedures designed to prevent, detect, and correct violations of the advisers act. 

  • . . . Looking at Risk Alerts by exam staff. Risk Alerts are not rulemaking and serve as unofficial guidance. A November 2020 Risk Alert noted that registered advisers have an obligation to update policies and procedures annually in order to comply with the Advisers Act. 

  • . . . Looking at the annual Examination Priorities Report.

When a breach occurs, there are a couple of factors to consider:

  • Obligation to report breaches

    • There is, in the most likely case, an obligation to report the breach. Private funds should contact their counsel in the event of a breach. Depending on the jurisdictions of the managers, fund entities, and investors, there may be requirements to notify regulators and investors about the breach. 

  • Enforcement 

    • The penalties following a breach depend on the circumstances. Private funds that do all that is reasonable to prevent breaches are less likely to face SEC enforcement. Accordingly, more reckless or negligent advisers are more likely to face penalties. 

New Trends in Cyber Threats at Private Funds

Experts suggest that there are several new considerations that private funds should take into account that were less relevant in the past. These include:

  • Updating policies and procedures; ensuring that policies and procedures are re-evaluated at least once per year. 

  • Paying closer attention to third parties and their privacy protocols; third parties may have privacy protocols that are not up-to-standard and put funds at increased risk of getting hacked. In forming contractual relationships with third parties and vendors, funds should anticipate and prepare for potential issues.

John Morley discusses A New Direction for Directed Trusts
A New Direction for Directed Trusts
Leading ADR Providers discusses Arbitration and Mediation in the Time of COVID
Arbitration and Mediation in the Time of COVID
Ira Kustin discusses A Shift in Funds
A Shift in Funds
Matthew F. Herman discusses A Year Like No Other
A Year Like No Other
Edward Morrison discusses Bankruptcy in the Time of COVID-19
Bankruptcy in the Time of COVID-19
Michelle A. Reed discusses Cyber Defense: Private Funds & Banks
Cyber Defense: Private Funds & Banks
Michelle A. Reed discusses Cyber Defense: Private Funds & Banks (Part 2)
Cyber Defense: Private Funds & Banks (Part 2)
John Morley discusses Dangers of the ICO - Investing in Crypto
Dangers of the ICO - Investing in Crypto
Prof. Naomi R. Cahn discusses Digital Asset Planning
Digital Asset Planning
Judge Andrew Napolitano discusses Domestic Spying and the NSA
Domestic Spying and the NSA
James Anderson discusses Driverless Cars—A Shift in Risk
Driverless Cars—A Shift in Risk
Steve Lehto discusses Dud Cars and Lemon Laws
Dud Cars and Lemon Laws
Nadine Strossen discusses Free Speech in a Social Media World
Free Speech in a Social Media World
Jeffrey Rosen discusses Government Surveillance: Privacy & Technology
Government Surveillance: Privacy & Technology
Prof. Michael Graetz discusses Infrastructure and Employment
Infrastructure and Employment
Eric Goldman discusses Interpreting Emoji
Interpreting Emoji
David N. Feldman discusses Investing in Green—Funding the Marijuana Industry
Investing in Green—Funding the Marijuana Industry
David N. Feldman discusses Investing in Green—Funding the Marijuana Industry (Part 2)
Investing in Green—Funding the Marijuana Industry (Part 2)
Columbia Law School Faculty discusses Law in the Time of COVID-19
Law in the Time of COVID-19
Anthony Sebok discusses Legal Innovation – Investing in Lawsuits
Legal Innovation – Investing in Lawsuits
Anthony Sebok discusses Legal Innovation – Investing in Lawsuits (Part 2)
Legal Innovation – Investing in Lawsuits (Part 2)
Hina Shamsi discusses Military Drones and Targeted Killing
Military Drones and Targeted Killing
John Morley discusses Mutual Funds Structure and Risk
Mutual Funds Structure and Risk
Daniel Capra discusses Police Power and Personal Rights
Police Power and Personal Rights
Daniel Capra discusses Police Power and Personal Rights (Part 2)
Police Power and Personal Rights (Part 2)
Prof. I. Bennett Capers discusses Police Technology - From Body Cameras to Facial Recognition
Police Technology - From Body Cameras to Facial Recognition
Aimen Mir and Colin Costello discusses Powers of the Modern CFIUS
Powers of the Modern CFIUS
Amy Gajda discusses Press Freedom vs. Privacy—Newsworthiness in a Self-Publishing Era
Press Freedom vs. Privacy—Newsworthiness in a Self-Publishing Era
Amy Gajda discusses Press Freedom vs. Privacy—Newsworthiness in a Self-Publishing Era (Part 2)
Press Freedom vs. Privacy—Newsworthiness in a Self-Publishing Era (Part 2)
Joel Reidenberg discusses Privacy & Technology in Today's Schools
Privacy & Technology in Today's Schools
Jeffrey Rosen discusses Privacy vs. Government Tech
Privacy vs. Government Tech
Annette Nazareth discusses Regulating Finance: Dodd Frank Decoded
Regulating Finance: Dodd Frank Decoded
Leading ADR Providers discusses Remote Arbitration in a Pandemic
Remote Arbitration in a Pandemic
Leading ADR Providers discusses Remote Arbitration in a Pandemic
Remote Arbitration in a Pandemic
Leading ADR Providers discusses Remote Arbitration in a Pandemic (Part 2)
Remote Arbitration in a Pandemic (Part 2)
Scott Skinner-Thompson discusses Sexual Privacy and Government "Outing"
Sexual Privacy and Government "Outing"
John Heitmann and Jameson Dempsey discusses The Internet of Things – The Latest Frontier
The Internet of Things – The Latest Frontier
John Heitmann and Jameson Dempsey discusses The Internet of Things – The Latest Frontier (Part 2)
The Internet of Things – The Latest Frontier (Part 2)
David Sheehan discusses The Madoff Fraud: Unwinding a Ponzi Empire
The Madoff Fraud: Unwinding a Ponzi Empire
David Sheehan discusses The Madoff Fraud: Unwinding a Ponzi Empire (Part 2)
The Madoff Fraud: Unwinding a Ponzi Empire (Part 2)
John Morley discusses The Weapons of a Hostile Takeover
The Weapons of a Hostile Takeover
Prof. Michael Graetz discusses The Wolf at the Door: Addressing Unemployment in Pandemic America
The Wolf at the Door: Addressing Unemployment in Pandemic America
Steve Lehto discusses Used Car Battles
Used Car Battles
John Morley discusses When Law Firms Collapse
When Law Firms Collapse
Prof. James Cox discusses Who's Liable After GameStop: A Law Professor's Take
Who's Liable After GameStop: A Law Professor's Take
Kenneth Breen and Phara Guberman discusses Who's Liable After GameStop: Litigators' Take
Who's Liable After GameStop: Litigators' Take