In October 2021, the Federal Trade Commission (FTC) stated that it would expand its Safeguards Rule in order to better protect consumer financial information from cyber attacks and security breaches. The revised Rule requirements will take effect on December 9, 2022. This is a significant development for private funds that were previously exempt from the Investment Company Act of 1940’s definition of “investment company” under sections 3(c)(1) or 3(c)(7) (“ICA”). Under the FTC’s new Safeguards Rule, private funds will be subject to significantly stricter cybersecurity obligations.

Modeled after the cybersecurity rule adopted by the New York Department of Financial Services (“NY DFS”), the FTC’s revised Safeguards Rule real impact on private funds comes from significant new governance and accountability requirements and new specific security control measures. Since many of the newly required controls will take time to implement, private fund entities covered by the Safeguards Rule will need to start planning now. The FTC’s updated Safeguards Rule, which is modeled after the New York Department of Financial Services (“NY DFS”) cybersecurity rule, has a substantial impact on private funds due to considerable new governance and accountability requirements, as well as new specific security control measures. Since many of the newly mandated controls will take time to implement, private fund organizations subject to the Safeguards Rule should begin planning immediately.

The following are the most significant revisions to the FTC Safeguards Rule:

  1. As indicated previously, the definition of a financial institution has been widened to include Private Funds.
  1. Previously, the Safeguards Rule permitted an “employee or employees” to be accountable for the information security program; however, the new Rule requires only one “Qualified Individual.”
  1. Multifactor authentication is now required for any individual accessing information systems that store customer information under the Safeguards Rule.
  1. The Safeguards Rule now requires encryption of all consumer information in transit and at rest.
  1. The Safeguards Rule makes significant improvements to customer information record retention practices.

For further information, please visit the FTC’s website: FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches | Federal Trade Commission