Today, all businesses, including private funds, depend on cloud-based technology and data storage. Private funds are high-value targets for cyber attacks because of the sensitive nature of the data held. The risks include business disruption, data disclosure, conversion, reputational harm, and legal liability. Ira Kustin (Akin Gump) and Sherrese Smith (Paul Hastings) explain the risks unique to private funds and the cybersecurity and data privacy regulations applicable to U.S. investment advisers. They then explore the increased regulatory scrutiny and the best practices for policies and procedures to ensure compliance and minimize cyber threats.
Cyber Risk at Private Funds
An interview with private funds lawyer Ira Kustin and data privacy and cybersecurity attorney Sherrese Smith
Cyber Targets at Private Funds
When it comes to cyber threats at private funds, risks during a breach include:
Theft of funds
The theft of personal private information of investors, intellectual property, business strategy, or real assets
Business disruption
Legal liability and contractual implications for gross negligence
Reputational harm
Laws Regulating Cybersecurity at Private Funds
Private funds are governed by various state, federal, and international regulations, and these regulations often overlap with one another. Often, the most complicated problem for private funds is determining which regulations are applicable.
U.S. federal regulations include:
The Investment Advisers Act of 1940 (15 U.S.C. S 80b-1 through 15 U.S.C. S 80b-21), which requires that entities compensated for advising must register to the SEC and abide by regulations intended to protect investors, after defining what constitutes an adviser. The Act has been amended a number of times, most recently in 2019.
Regulation S-P, which requires that broker-dealers, investment companies, and investment advisers adopt specific policies to protect customer records and information.
Regulation S-ID, the Identity Theft Red Flag Rules, are SEC and CFTC jointly adopted rules that require certain regulated entities to have programs to address and prevent identity theft.
The Gramm Leach Bliley Act (GLBA), which, in part, requires financial institutions to “explain their information sharing practices to their customers and to safeguard sensitive data.”
State laws of note include:
California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA)
The state laws offer some exceptions to their privacy and cybersecurity requirements. For example, in both California and Virginia, laws provide that private funds will be exempt to certain parts of the respective state laws where the GBLA applies. All data collected that is not exempt will be subject to state law.
Foreign Cybersecurity Laws Applicable to Private Funds
Application of other nation’s laws
It is important that private funds understand their reach and how it affects which country's laws. Namely, the GDPR is the most prominent privacy law. If a fund has or is receiving information about EU constituents and customers, that fund is subject to the General Data Protection Regulation.
Funds should be aware that when using Cayman vehicles, bringing in non-U.S. investors and bringing in tax-exempt U.S. investors, regulations for offshore funds like the Cayman Data Protection Law may apply.
The SEC and Cybersecurity for Private Funds
The U.S. Securities and Exchange Commission regulates securities markets and protects investors. Relevant to private funds, the SEC provides cybersecurity guidance and brings forth cybersecurity enforcement actions against such financial institutions. Although some rules are vague, examiners of registered advisers expect certain specific policies that are required for the overall obligation to have policies and procedures under the Advisers Act.
Now, the SEC is focusing on cybersecurity and data protection in novel ways. Some areas of focus of the SEC can be clarified by. . .
. . . Looking at recent guidance by the SEC. For example, Rule 206(4)-7 in part requires registered advisers to establish policies and procedures designed to prevent, detect, and correct violations of the advisers act.
. . . Looking at Risk Alerts by exam staff. Risk Alerts are not rulemaking and serve as unofficial guidance. A November 2020 Risk Alert noted that registered advisers have an obligation to update policies and procedures annually in order to comply with the Advisers Act.
. . . Looking at the annual Examination Priorities Report.
When a breach occurs, there are a couple of factors to consider:
Obligation to report breaches
There is, in the most likely case, an obligation to report the breach. Private funds should contact their counsel in the event of a breach. Depending on the jurisdictions of the managers, fund entities, and investors, there may be requirements to notify regulators and investors about the breach.
Enforcement
The penalties following a breach depend on the circumstances. Private funds that do all that is reasonable to prevent breaches are less likely to face SEC enforcement. Accordingly, more reckless or negligent advisers are more likely to face penalties.
New Trends in Cyber Threats at Private Funds
Experts suggest that there are several new considerations that private funds should take into account that were less relevant in the past. These include:
Updating policies and procedures; ensuring that policies and procedures are re-evaluated at least once per year.
Paying closer attention to third parties and their privacy protocols; third parties may have privacy protocols that are not up-to-standard and put funds at increased risk of getting hacked. In forming contractual relationships with third parties and vendors, funds should anticipate and prepare for potential issues.