2021 continued the trend of increased regulatory emphasis on privacy and cybersecurity for private equity funds in the United States and abroad. There is no sign of the trend stabilizing anytime soon.
One of the topics that caught our attention last year was the rise of ransomware. As previously shared, ransomware has evolved from simple file encryption/disabling networks as part of a ransom demand, to sophisticated attacks penetrating data systems and debilitating entities. So while money continues to be an obvious motivation for these attacks, the pursuit of intellectual property and data increasingly is. Regulatory agencies have responded to combat the increase in attacks. For example, in October 2020, OFAC has issued an advisory stating that any payment made to a sanctioned entity on the OFAC list would violate federal sanctions regulations and that the paying entity would be strictly liable. Importantly, this means that the intent of the victim and whether the entity is on OFAC’s list is not a defence. Although OFAC intends to reduce compliance with ransomware attacks by publishing its list of sanctioned entities, the nature of ransomware makes it difficult for the victim of an attack to be able to identify which entity is actually paid. This ambiguity can cause victims of ransomware attacks to unwittingly violate OFAC sanctions and be held strictly accountable despite the publication of a list of sanctioned entities.
In the same spirit of preventing privacy breaches through cybersecurity efforts, in February 2022, the The SEC has proposed new rules under the Investment Advisers Act 1940 (the “Advisers Act”) and the Investment Companies Act 1940 (the “Investment Companies Act”) requiring investment advisers and Registered Funds to adopt and implement written cybersecurity policies and procedures reasonably designed to address these risks. One of the proposed rules requires advisers to report significant cybersecurity incidents affecting the adviser, or its fund or private fund clients, to the Commission. The Commission is also proposing changes to various forms regarding disclosure related to cybersecurity risks and incidents that affect advisers, funds, their clients and their shareholders. The comment period ends on April 11, 2022, after which we can expect these new rules to come into effect.
In the UK, the National Cyber Security Center (NCSC) recently published a reminder organizations to take steps to protect their systems given the increased risk and number of cyber threats. This reminder has been reiterated by the ICO, the UK’s data supervisory authority, following a reported increase in cybersecurity-related data breaches in the UK of almost 20% over the past few years. last two years. UK data protection law already provides that organizations must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” to protect personal data. When designing and assessing “appropriate” measures, organizations in the UK (including funds, sponsors and advisers) should now also consider the specifics ransomware tips recently released by the ICO.
We expect to see a continued focus on privacy and cybersecurity in the private funds space as regulators work to find ways to increase security and reduce the risk of loss from new methods of investing. attack. The Asset Management Litigation team will continue to keep abreast of developments and provide you with updates on these matters throughout the year.
Learn more about our Top 10 Regulatory and Litigation Risks for Private Funds in 2022.