Cybersecurity & Data Privacy Issues in Fund Finance
During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information. In the context of a fund finance transaction, this due diligence is likely to include a review of fund organizational documents, subscription agreements and side letters, if any, from the fund’s investors. Providing this information to lenders is an essential and practical aspect of incurring any fund-level financing, and is often expressly permitted by a fund’s governing documentation. Especially in the context of a subscription credit facility, where investor commitments and the related right to collect capital contributions are the primary source of repayment for the loan, a lender will need to see information that could potentially include sensitive or confidential information about investors.
So how is a fund sponsor practically supposed to comply with diligence requests from lenders, especially when the responsive information may contain social security numbers, passport information or driver’s licenses? It is rare, though not unheard of, for a borrower to require that lenders conduct due diligence in person in a windowless conference room. But the reality is that most fund borrowers transmit this confidential data to potential lenders through some electronic means. In doing so, borrowers should consider (1) whether the information they need to send includes the sensitive and personal data of high-net-worth investors (including, for example, social security number (SSN), driver’s license or passport, or similar identifying information), (2) where and how they plan to send the information and (3) what data privacy and cybersecurity requirements might apply.
Different jurisdictions may have strict requirements for processing and transmitting personal data, often with extra protections for “sensitive personal data” which may include SSNs, geolocation and passport numbers and other information. A large and growing number of U.S. states now feature data privacy laws, such as California’s Consumer Protection Act (CCPA). The European Union’s (EU) General Data Protection Regulation (GDPR) features strong protections when it comes to cross-border data transfers designed to protect the personal data of EU residents. The U.S. federal government is also ramping up protections for its own citizens’ data, with new laws such as the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFA), which covers the transfer of certain personally identifiable sensitive data from U.S. individuals to certain foreign countries (see here for more details).
Fund sponsors and financial institutions face a heighted risk of increasingly sophisticated cyberattacks, especially when the personal information of high-net-worth individuals is at stake. To further complicate matters, what market participants may consider “adequate data protection” in the context of new and amended data privacy and cybersecurity laws is changing, meaning compliance into the future will require consistent and adaptable monitoring, training and management buy-in.1 While navigating compliance with this everchanging landscape may not be straightforward, one thing is crystal clear — guarding against ransomware, phishing attacks, social engineering and advanced wire fraud are vital when handling sensitive personal information. This is true from both the personal privacy perspective of an individual investor and from the fund manager perspective, to prevent any negative reputational, financial or regulatory consequences.
Given the various data privacy and cybersecurity requirements at issue when sending sensitive data to lenders, there are a number of best practices, policies and technical measures sponsors can consider adopting to help comply with the myriad obligations such data transfers can entail, including:
- No Email – When a fund sponsor has drivers’ licenses, passport numbers and SSNs to transmit, transmitting such information over email is never recommended. Emails can be hacked, devices lost and login information exposed. Instead, look for secure methods like dedicated enterprise file sharing platforms designed for secure transfer of documents and information. Reputable software-as-a-service (SaaS) providers will offer enterprise-grade security to protect data on the system.
- Use Permission Controls – Make use of file sharing platform features that enable user permissions to be set and attach expiry dates to shared files that revoke access after a set period of time. This will enable restricted access to files, or prevent the files being saved or printed, helping guard against data exposure. Also monitor and control who is sending the information, and ensure these persons are sending only the specific information being requested (i.e., avoid sending additional sensitive personal information that is not necessary).
- Use Appropriate Data Safeguards – Many data privacy and security laws mandate appropriate administrative, technical and physical safeguards. These can include, among other measures, encryption of data at rest and data in transit, strong passwords, firewalls and multi-factor authentication (MFA). Make sure these tools are featured in employee training, with training such as phishing exercises teaching employees both how not and where not to send data.
- Conduct Vendor Due Diligence – Have any third-party platforms that touched this information experienced cybersecurity issues? Did they remediate any vulnerabilities? Do they have NIST or ISO certifications?2 Third parties are a significant source of risk, and funds should have contractual provisions, along with monitoring and auditing, for any cloud and networked data rooms they might be using. Protect investor and client information throughout this process and not just in the fund’s systems.
- Include Data Protection Provisions in Written Agreements with the Recipient – You do not want your investors’ and clients’ data to be at risk after you hand it off. Written agreements with the lender receiving the data should set forth the lender’s obligations regarding that data—such written agreement may include an executed credit agreement, or perhaps a signed term sheet or engagement letter with enforceable confidentiality provisions. Agreements should establish not only how this data will be transmitted, but also how the recipient will store it, how long they will retain it, what purpose it will be used for and how it will be safely returned or deleted when that purpose is complete. The agreement should make sure that the recipient will not:
- Further transfer the information insecurely with a method not otherwise approved
- Transfer the information to other unintended parties
- Retain the information indefinitely
- Use it for some purpose other than what was specified.
- Practice For When Something Goes Wrong – If all else fails and sensitive investor or client information is leaked, be prepared. Fund sponsors should engage interdisciplinary teams including legal, IT, finance and management to engage in planning and training. Tabletop exercises are a good way for fund managers to practice responding quickly and effectively when an incident occurs. Simulations can include assessments of insurance carrier notification timelines, as well as decision-making on the timing and content of notifications to regulators (both in the US and across the globe).
Once sponsors establish which laws apply to the personal data they want to send, they can craft written policies and procedures to inform both their own staff and their lenders what obligations they have when handling sensitive data, and what practices they need to apply to appropriately protect data at each stage of the process, from storage to transfer to storage.
No amount of preparation will render a sponsor invulnerable, but steps like the foregoing can assist greatly in preventing a breach, or in mitigating the adverse effects on a fund, on investors, and on the sponsor.
1 The applicable laws and potential enforcement in data privacy are vast. The Gramm–Leach–Bliley Act (GLBA) is a federal law requiring certain parties to, among other things, explain their information-sharing practices to their customers. Regulation S-P is a privacy rule designed to safeguard customer information, requiring fund managers registered with the SEC as investment advisers to have written policies to ensure the security and confidentiality of customer information, protect against any anticipated threats to the security or integrity of customer information, and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
2 The National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) are reputable standards-setting organizations in the data protection space, offering robust frameworks for cybersecurity risk management.