June 28, 2022

Volume XII, Number 179


June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Private Equity and Cybersecurity: A Guide to Preparing for and Responding to a Breach

A cyber breach can have serious legal, financial, and reputational consequences for a fund sponsor, as described in our previous post. As such, cybersecurity threats must be treated as business risks, not just a potential IT problem. Senior management at fund sponsors should take the lead to ensure that the sponsor is taking appropriate actions to protect itself against cyber risks. There are several steps that senior management can guide the fund sponsor to take to prevent breaches from occurring and to mitigate the impact when they do occur.

Be Prepared 

Careful planning and preparation, including appropriate policies and procedures, is critical for the creation of an effective cybersecurity program. The program should include a Cyber Risk Assessment and a Cyber Incident Response Plan.

Perform a Cyber Risk Assessment 

  • Information: Identify the information and data that is most sensitive and important to the sponsor. Commentators often refer to this as the “crown jewels.” This will often include information about finances or personally identifying information (“PII”). PII can include individuals’ names, addresses, social security numbers, and other sensitive information about a person.

  • Resources: Devote appropriate staff for the supervision and oversight of cybersecurity measures on an ongoing basis, including having personnel responsible for staying up-to-date on evolving threats, and maintaining all cybersecurity related reports and information.

  • Compliance: Ensure compliance policies satisfy fund governance agreements.

  • Ensure vendor compliance: Review the cyber risk protocols of any vendors who may have access to sponsor data. In particular, the SEC has been especially focused on third party service providers that may have custody of, or access to, PII.

  • Test: Stress test the relevant computer networks in order to identify and assess vulnerabilities.

  • Implement prophylactic measures: Regularly backup important data to guard against ransomware attacks. If the victim has backup copies, the hacker no longer holds the upper hand. Registered investment advisers should already be taking steps to protect, backup and preserve their books and records and customer information pursuant to Rule 204-2 of the Investment Adviser Act and Rule 30 of Regulation S-P.

  • Audit: Institute recurrent security audits to identify potential risks.

Cyber risk assessment is an ongoing process that should be continually revisited and revised to account for the changing regulatory landscape and technological advances.

Adopt a Cyber Incident Response Plan

Assign a “quarterback” to lead response efforts, including coordinating mitigation efforts, remediation actions, and possible law enforcement referral. Coordinate with outside counsel who can act quickly if a breach does occur, and who can coordinate other professionals, such as forensic and IT professionals, while working to protect information through the assertion of privilege.

  • Outline a plan for coordinating with regulators and law enforcement agents.

  • Evaluate the potential need to communicate with investors in the sponsor’s funds in the event of a breach.

  • Retain a public relations consultant to monitor social media and news reports regarding the sponsor and its funds after a breach for the purpose of brand protection.

Counsel should assist with these tasks to ensure that the fund sponsor is prepared and protected.

Follow the Plan

An effective Cyber Incident Response Plan should provide a roadmap for the sponsor in the event of a breach.  Speed is crucial when responding to a breach, particularly in the first twenty-four hours, to try to minimize the impact.

  • Contact counsel identified in the Cyber Incident Response Plan, to engage relevant professionals including, among others, an IT provider and/or a forensic investigator.

  • Define the scope of the breach and assess what systems and data have been compromised. Determine if a backup of any lost data is available.

  • Consider whether notice to law enforcement and/or regulators is necessary or appropriate.

  • Assess with counsel whether the breach has triggered notification requirements to fund investors or others under any applicable laws or contracts.

  • Evaluate with counsel potential insurance coverage, along with regulatory and/or civil litigation risks.

© 2022 Proskauer Rose LLP. National Law Review, Volume X, Number 259

About this Author

Alexandra Bargoot, Proskauer Law Firm, Boston, Litigation and Finance Law Attorney

Alexandra Bargoot is an associate in the Litigation Department and a member of the Private Equity & Hedge Fund Litigation Group. Her practice includes a variety of complex commercial litigation matters, with a focus on private investments funds, involving both private disputes and regulatory issues.

Alexandra assists clients on matters involving SEC investigations, pay to play violations, private actions, sales of investments, investigations of aiding and abetting, arbitration award enforcement, among other areas of expertise.

Margaret A Dale, Commercial Litigation, Proskauer Rose Law Firm

Margaret Dale is a Partner in the Litigation Department, resident in the New York office. Her practice focuses on commercial litigation, including class action defense, as well as intellectual property, privacy and data security, corporate governance litigation, securities litigation, and regulatory and internal investigations. She also represents and counsels clients in art law matters. 

Samuel Waldon, Proskauer Law Firm, Washington DC, Corporate Law and Litigation Attorney

Sam Waldon is a partner in the Litigation Department and a member of the Securities Litigation, White Collar Defense & Investigations and Asset Management Litigation Groups.

Sam’s practice focuses on securities litigation, enforcement and regulatory matters. He represents corporations and financial institutions, and their officers, directors and employees, in investigations, exams, internal investigations and litigation. Sam has in-depth experience in a broad range of Securities and Exchange Commission (SEC) enforcement matters, including...