Not even state-of-the-art cybersecurity measures can prevent all breaches, so it is critical for investment managers to be prepared for such events. Managers should consider adopting a breach response plan; they should also consider purchasing insurance to mitigate their losses and response costs in the event of a breach. Both of those approaches to mitigating the fallout from a cyber breach were recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA). The program – the fourth installment of the sponsors’ Investment Management Cybersecurity Seminar Series – was moderated by Mark C. Amorosi, a partner at K&L Gates, and featured Laura L. Grossman, assistant general counsel at the IAA; Jason Warmbir, a vice president at Willis Group Holdings Ltd.; and K&L Gates partners András P. Teleki and Gregory S. Wright. This article, the first in a two-part series, explores the development and testing of a breach response plan; implementation of the plan in the event of a breach; breach notification requirements; and other post-breach actions. The second article will discuss the availability of coverage for cyber breaches under conventional insurance policies; the availability and types of specialized cyber liability coverage; and coverage issues that may arise under such policies. For discussions of prior installments in the series, in which Amorosi, Grossman and Teleki also participated, see “K&L Gates-IAA Panel Provides Comprehensive Overview of Cybersecurity Risk Mitigation Frameworks and Techniques for Investment Managers (Part Two of Two)
,” Hedge Fund Law Report, Vol. 8, No. 17 (Apr. 30, 2015); and “K&L Gates-IAA Panel Addresses Regulatory Compliance and Practical Elements of Cybersecurity Testing (Part Two of Two)
,” Hedge Fund Law Report, Vol. 8, No. 21 (May 28, 2015).