The Hedge Fund Law Report Quotes Natasha Kohne from Cybersecurity Webinar
Natasha Kohne, a co-leader of Akin Gump’s cybersecurity, privacy and data protection initiative, has been quoted by The Hedge Fund Law Report in the article “Essential Tools for Hedge Fund Managers to Combat Escalating Cyber Threats.” This follows a recent webinar featuring Kohne regarding the cyber threat landscape and related regulatory environment. The event also included suggestions on how to reduce vendor risks and ensure appropriate cybersecurity governance and employee training.
Kohne noted early in the program that the legal and regulatory landscape regarding cyber threats is evolving rapidly. She cited two landmark cases from the past year dealing with data privacy: FTC v. Wyndham Worldwide Corp., in which a federal appeals court affirmed the Federal Trade Commission’s authority to regulate data security, and Remijas v. Neiman Marcus Group, LLC, where a different appeals court ruled that plaintiffs do not have to prove actual financial injury – only a substantial risk of injury.
Kohne added that a “new breed” of cases has also appeared, including one in which a cybersecurity firm was sued over the quality of the investigation it conducted in response to an attack. In short, she said, there has been a “wave of lawsuits, loosening of standards [of proof] and an increased risk of class actions” in the cybersecurity space.
Kohne explained that many regulators have jurisdiction over cybersecurity, including the FTC, the SEC, state attorneys general and others, though the SEC is the primary regulator when it comes to funds. Discussing best practices following a data breach, Kohne said the first 24 hours are critical. Regulators and plaintiffs’ attorneys expect companies to act quickly, so a business, she said, should have an incident response plan in place, including outside counsel that can promptly retain a forensic firm.
Among other issues, Kohne also discussed cybersecurity governance, which she said has traditionally resided with a company’s audit committee, but they may have too many other duties. There is “no one size fits all” approach and a board should consider where risk governance should reside, and whether directors or committees have the requisite expertise.
The proposed Cybersecurity Disclosure Act of 2015, Kohne noted, would require public companies to disclose in their annual reports and proxy statements what cybersecurity expertise their directors have. She said the SEC has also observed that companies are not devoting sufficient time to cybersecurity, and boards should review budgets, assign duties and review risk reports. They should also assess how their companies’ policies comport with the National Institute of Standards and Technology framework, ensure there is a breach response plan that follows best practices and treat cybersecurity as an enterprise risk management issue.