Key takeaways

• The U.S. Securities and Exchange Commission (“SEC”) staff has issued its first guidance to registered funds and investment advisers (including advisers to private equity and hedge funds) about the measures they should be taking to assess and mitigate their risk of a cyberattack.
• The guidance highlights the importance of periodic audits of cybersecurity measures and cyberattack response protocols, including assessing the practices of third-party vendors.
• The guidance suggests that any failure to adequately assess and mitigate cybersecurity risk could be construed as a violation of the U.S. federal securities laws, including those laws requiring investment adviser and registered investment companies to maintain compliance policies and procedures as well as identity theft red flags.