Recent enforcement actions highlight the increased regulatory scrutiny that private funds may face with respect to internal cybersecurity protocols and responses to cyber-crimes and cyber incidents under new and updated cybersecurity laws.
In January 2023, the New York Department of Financial Services (DFS) announced sanctions against Coinbase, finding “significant failings in the company’s compliance program.” Notably, Coinbase had failed to timely report to DFS, under its cyber-regulations, the occurrence of a May 2021 phishing scam that affected approximately 6,000 of Coinbase’s customers. The resulting consent order required Coinbase to pay a $50 million penalty and invest an additional $50 million in its compliance program. DFS’s case against Coinbase was similar to DFS’s enforcement action against Robinhood in August 2022, where Robinhood was fined $30 million for, among other things, failing to maintain a cybersecurity compliance program pursuant to state regulations.
Other regulators are hyperfocused on cybersecurity compliance as well. Although it did not yet have a cybersecurity regulation, the SEC sanctioned eight firms in 2021 for failures in cybersecurity policies that led to the exposure of customers’ and clients’ personal information. In October 2022, the FTC brought enforcement actions against online alcohol marketplace Drizly and against education technology provider Chegg. Both actions came on the heels of significant data breaches affecting the companies’ employees and customers. The cybersecurity failures cited in these two FTC actions included the insecure storage of information, a lack of network monitoring, and failing to develop security policies or provide training for employees.
In fact, just recently, the SEC reopened the public comment period on rules proposed in 2022 under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. The proposed rules would require registered investment advisers and investment companies to report significant cybersecurity incidents to the SEC and adhere to enhanced disclosure obligations regarding cybersecurity risks. The proposal would also require these entities to maintain certain cybersecurity-related books and records. The comment period reopened on March 15, 2023 and closed on May 22, 2023.
In Europe, regulators have emphasized developing and building on existing legislation. In the UK, the government plans to update the Network and Information Systems Regulations (“NIS UK”), which set cybersecurity standards for critical industries (e.g., transport, water, energy), and extend those requirements to managed service providers (including outsourced IT security providers). These developments follow well-publicized cyberattacks, such as Operation CloudHopper, which compromised managed service providers. There are also planned updates to alter cost recovery so that more costs are recovered from relevant organizations by relevant regulators for the enforcement of NIS UK.
Contemporaneously, the EU Network and Information Systems Directive (“NIS2”) became law. Building on the prior directive (which the UK legislation was based on), the EU plans to implement several new reforms, including expanding the scope of its regulations to cover data centers and social media platforms, placing liability for cybersecurity management resting at the C-Suite level, and updating required incident response times.
It is clear from the recent wave of enforcement actions and proposal of new and updated rules that companies should be vigilant not only in preventing cybersecurity breaches, but also in monitoring, detecting and mitigating their effects. We will continue to review these developments and report on their progress, including the publication of the final SEC rules and updates to UK cybersecurity laws.