All fund managers are keenly aware of the financial and reputational risks posed by a ransomware attack, as those are top of mind when considering cybersecurity risks. Less attention is paid, however, to some of the trickle-down ramifications of a ransomware attack, including mandatory reporting requirements to regulators and the possibility of third-party litigation and regulatory enforcement. Some of those risks can be mitigated not only through preventative cybersecurity practices but also by thoughtful and rehearsed incident response measures. Those issues were addressed in a recent Arnold & Porter roundtable moderated by Arnold & Porter partner Ronald D. Lee and which featured Dan Raymond, focus group leader on breach response and information security products at Beazley Group; Aaron Sherman, director of incident response at Coveware, Inc.; and Arnold & Porter attorneys Kenneth L. Chernof, Marcus A. Asner and Tal R. Machnes. This second article describes mandatory reporting requirements; litigation and enforcement risks arising from ransomware attacks; protective measures fund managers should take before an attack; and important compliance considerations. The first article
prescribed initial measures fund managers should take after a ransomware attack; guidance for working with law enforcement and deciding to pay a ransom; and tips for preserving attorney-client privilege during an incident response. See “Identifying and Preventing Ransomware Attacks
” (Oct. 15, 2020).