Private funds that are excluded from the definition of “investment company” under sections 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (“ICA”) will face significantly stricter cybersecurity requirements under the FTC’s revised Safeguards Rule, which comes into full effect as of December 9, 2022. The FTC’s updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures for consumer information expressly modeled on the New York Department of Financial Services’ (“NY DFS”) cybersecurity rule. For private fund entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement. Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems that store customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures for customer information.

Continue Reading