August 7, 2020

Volume X, Number 220

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

Private Equity and Cybersecurity: Threats, Consequences, and the Regulatory Framework

Cybersecurity breaches and threats are pervasive concerns for any entity storing valuable data or managing large sums of money: private investment funds are no exception.  Recently three private equity firms suffered breaches that compromised their email accounts and wire transfers, resulting in $1.3 million in losses.  We have seen the SEC follow through on its 2019 priority of examining investment advisers about their cyber-security measures, as well as inquiring if they have suffered from a cyber-security breach.  We expect that trend to continue.  Fund sponsors should be aware of (1) the key cyber threats they face, (2) the consequences of a breach, and (3) the statutory and regulatory framework governing cybersecurity.  Fortunately, there are precautionary measures that fund sponsors can implement to help prevent a breach and to mitigate the scope and damage from a breach if one were to occur. We will elaborate on both the steps to take to guard against a breach and how to effectively respond to a breach in a forthcoming post.

Key Threats

In the United States alone in 2019, there were 467,361 complaints to the FBI of cybercrime, resulting in $3.5 million in losses.  Globally, there were far more.  In 2018, it is reported that there were 378 million victims of cybercrimes resulting in financial losses of $113 billion.  There are many reasons for cyberattacks, including terrorism, hacktivism, and warfare; however, general crime is the most common reason that businesses suffer breaches.  Attackers primarily utilize ransomware or a business email compromise scheme (“BEC scheme”) to improperly gain access to money or valuable personal information.  Both methods can result in serious damage to the breached entity.

In a ransomware attack, the hacker will lock and encrypt a client’s computer data, then demand a ransom to restore access.  In many cases, the victim must pay the cybercriminal within a set amount of time or risk losing access forever.  However, as this is a criminal attack, paying the ransom does not ensure access will be restored.  The risk to clients cannot be overstated: critical data can be forever damaged and lost.

BEC schemes are executed through phishing emails and also pose a material threat. An attacker will create an email that appears to be sent by a reliable and safe source such as a commonly used website like Netflix or Amazon, a government agency like the IRS or FBI, or even a high ranking person within the company like the CEO.  Through this phishing email, the email account of the target can be compromised resulting in the unauthorized transfer of funds, client or contact lists being stolen, or personal identifying information (“PII”) being stolen. This stolen information is then typically sold on the Dark Web and is highly lucrative for these attackers.

Consequences of a Breach 

To start, there are the obvious consequences such as direct financial loss and the costs of responding to an attack.  Responding to a successful attack is a very real and time consuming disruption to business operations.  However, reputational harm is another impact that can also indirectly cause future difficulties and financial losses.  The loss of investors’ trust in the fund and its management can be hard to overcome and may create tensions between fund sponsors and investors.  The attack can also lead to civil litigation, such as suits by individuals whose PII was compromised.

Additionally, a breach can trigger governmental and regulatory inquiries by the DOJ, SEC, FINRA, and even state attorney generals.  Cybersecurity breaches are unique in that an entity can both be the victim of the breach and still be found to have a degree of responsibility.  The SEC has made it clear that cybersecurity is the “responsibility of every market participant” and that it will use its authority to bring cyber-related actions that protect investors.  If a fund or its manager have failed to take reasonable steps to protect investors’ information, then the fund manager can be held accountable by the SEC.

Statutory and Regulatory Framework 

Congress enacted the Graham Leach Bliley Act of 1999 which requires federal agencies to establish standards to safeguard security and confidentiality of customer records.  The SEC complied with this act by issuing the “Safeguard Rule” (Regulation S-P).  This applies to registered broker-dealers, registered investment companies, and registered investment advisers.  However, Regulation S-P does not specify what obligations a firm has in event of a cyber-breach in terms of disclosure and mitigation – in contrast to public companies, where there is clear guidance from the SEC on disclosure obligations.

The Consumer Financial Protection Bureau issued Regulation P.  This regulation mirrors Regulation S-P and applies to exempt reporting advisers and private funds.  It requires that these entities have written policies and procedures reasonably designed to (a) ensure confidentiality of customer records and (b) protect against any anticipated threats or unauthorized access of customer information.

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has repetitively identified cybersecurity as one of its priorities and the SEC has offered comments and guidance in how it will evaluate security breaches.  In October 2018, the SEC issued a report explaining factors it would consider to determine whether businesses violated the federal securities laws by failing to have a sufficient system of internal controls to prevent losses from BEC and similar schemes.  Failure to institute such internal controls or having insufficient internal controls could result in issues with the SEC, even when the fund sponsor is the victim of a cyber-attack.  It is not uncommon for the SEC to request information about cyber controls or cyber breaches during an examination.  In fact, up to now, the SEC has largely approached compliance with Regulation S-P through its examination program, rather than through enforcement actions.  However, firms should be mindful that the SEC could bring an enforcement action in the case of a particularly large breach or become more aggressive under a new administration.  We have seen the SEC remind private fund sponsors that they could also be held responsible for cyber breaches at a portfolio company if the company is a “control investment.”  Fund sponsors, particularly in the private equity buyout space, should make efforts to evaluate cyber risks and controls at such portfolio companies, particularly if they maintain or have access to any sort of PII.

In addition to federal agency regulations, fund sponsors should be aware that almost all states require private entities to notify individuals of security breaches of information involving “personally identifiable information.”  These laws vary in terms of statutory structure and prosecutorial discretion. When an entity must notify individuals of a breach is also different from jurisdiction to jurisdiction.  Some states only require that an entity notify the attorney general and only if the breach hits a particular threshold, while others require that entities notify individuals that a breach has occurred compromising their information no matter the significance.  Regardless of these differences, states’ attorney generals can impose penalties on fund sponsors for failure to protect PII.

Massachusetts’ cybersecurity laws go beyond the Graham Leach Bliley Act and require that both employee and customer information are protected.  The state has also issued a checklist to help entities comply with the law.  At this time, Massachusetts has several additional pending bills relating to cybersecurity.

Notably, California now has a private right of action permitting victims of identity theft to bring a cause of action against a business for failure to protect their PII.  The California Consumer Privacy Act of 2018 (“CCPA”) became operative on January 1, 2020.  This act generally requires that customers of qualifying businesses be able to know and control the information collected about them. Given the CCPA’s broad definitions of consumers and businesses, investment funds and their managers may be considered “qualifying businesses” and information that they collect regarding their employees, job applicants, investors, and prospective investors residing in California could be subject to the CCPA.

Every state has its own laws and regulations making it vitally important to engage competent counsel to navigate the demands of the various jurisdictions that may be impacted by a breach.

© 2020 Proskauer Rose LLP. National Law Review, Volume X, Number 141

TRENDING LEGAL ANALYSIS


About this Author

Alexandra Bargoot, Proskauer Law Firm, Boston, Litigation and Finance Law Attorney
Associate

Alexandra Bargoot is an associate in the Litigation Department and a member of the Private Equity & Hedge Fund Litigation Group. Her practice includes a variety of complex commercial litigation matters, with a focus on private investments funds, involving both private disputes and regulatory issues.

Alexandra assists clients on matters involving SEC investigations, pay to play violations, private actions, sales of investments, investigations of aiding and abetting, arbitration award enforcement, among other areas of expertise.

617-526-9461
Anthony M. Drenzek, Special regulatory Counsel, Proskauer Rose, Attorney, Finance Policy Lawyer
Special Regulatory Counsel

Tony is special regulatory counsel in the Corporate Department and a member of the Private Funds Group and the Private Equity & Hedge Fund Litigation team. His practice focuses on advising U.S. and offshore private fund managers on all aspects of federal, state and SRO organizational and operational compliance, with a specific emphasis on the Investment Advisers Act of 1940.

Tony assists U.S. and offshore private fund clients in registering with the SEC as investment advisers, or reporting as exempt reporting advisers, and complying with CFTC and various U.S. state registration and notice-filing requirements. He also assists on structuring fundraising transactions to comply with the U.S. offering exemptions available under Regulation D and Regulation S.

 

Tony proactively monitors the evolving regulatory landscape and counsels clients on practical industry approaches to compliance and how anticipated trends in agency rulemaking and staff expectations may affect their operations. He counsels clients on the establishment, implementation and evaluation of regulatory programs required under the Investment Advisers Act of 1940. In addition to compliance manuals and codes of ethics, Tony assists on the creation and maintenance of various operational-level compliance policies and procedures in areas such as investment and expense allocation policies, investment valuation procedures, cybersecurity policies, and business continuity and transition plans.

As clients’ investment management practices mature, Tony advises on the regulatory aspects of transactions involving divestments, mergers and acquisitions of investment managers and fund complexes. This includes coordinating and amending applicable regulatory filings and assuring that client consent requirements are evaluated and compliant.

As a member of the Private Equity & Hedge Fund Litigation team, Tony has advised clients on responses to inquiries and investigations from federal and state regulatory agencies on various regulatory matters, including the Investment Advisers Act’s pay-to-play and custody rule requirements.

Tony has authored and co-authored numerous articles on various regulatory matters affecting private fund sponsors, including several published in the Hedge Fund Law ReportPrivate Funds ManagementCompliance WeekVC Experts and Law360.

Prior to joining Proskauer, Tony served as an associate director of the Massachusetts Securities Division and was appointed as a Special Assistant Attorney General in the Commonwealth of Massachusetts. Between 2008 and 2013, Tony was an adjunct professor in the Law, Taxation and Financial Planning Department at Bentley University in Waltham, where he developed and taught a course focusing on application of the Securities Act of 1933 and the Securities Exchange Act of 1934.

617.526.9655
Samuel Waldon, Proskauer Law Firm, Washington DC, Corporate Law and Litigation Attorney
Partner

Sam Waldon is a partner in the Litigation Department and a member of the Securities Litigation, White Collar Defense & Investigations and Asset Management Litigation Groups.

Sam’s practice focuses on securities litigation, enforcement and regulatory matters. He represents corporations and financial institutions, and their officers, directors and employees, in investigations, exams, internal investigations and litigation. Sam has in-depth experience in a broad range of Securities and Exchange Commission (SEC) enforcement matters, including...

202-416-6858
Margaret A Dale, Commercial Litigation, Proskauer Rose Law Firm
Partner

Margaret Dale is a Partner in the Litigation Department, resident in the New York office. Her practice focuses on commercial litigation, including class action defense, as well as intellectual property, privacy and data security, corporate governance litigation, securities litigation, and regulatory and internal investigations. She also represents and counsels clients in art law matters. 

212.969.3315