Few things are more unsettling for a fund manager than when the manager or one of its portfolio companies is the victim of a ransomware attack that threatens business-critical information or platforms. Many will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data, avoid continued business disruption and prevent negative publicity. Determining whether to pay a ransom is not straightforward, however, due to inevitable legal, financial, practical and regulatory pitfalls. Further, although many funds have a written incident response plan they practice with during annual tabletop exercises, a ransom attack will always create novel issues and challenges because each situation is very fact specific and fast moving. As managers need to balance risks and make decisions with, at best, imperfect and sparse information, every incident may prove a costly odyssey into unchartered waters. This second article in a two-part guest article series by Proskauer attorneys Ryan P. Blaney, Margaret A. Dale, Dorothy Murray, Todd J. Ohlms and Jonathan M. Weiss reviews the regulatory obligations that arise with any data breach and considers the follow‑on steps and consequences of such a breach from a U.S. and U.K. perspective. The first article set out the issues to keep in mind in terms of immediate incident response and whether to pay the ransom. See our two-part series on data breaches and the private credit market: “Assessing Borrower Cyber Preparedness” (Apr. 6, 2023); and “Post‑Breach Considerations” (Apr. 20, 2023).