08 April 2022
Main Contributor: Katie Mogan, IACCP® Vice President, Senior Compliance Consultant
The first quarter is always a busy time for investment advisors. This year, the SEC was busy too, releasing two new proposed rules, Cybersecurity Risk Management and Requirements for Private Fund Advisers . It’s important to remember that a proposed rule can take a while to become an actual rule. Think back to the SEC’s new Marketing Rule, advisors were given 18 months to comply, not to mention the long comment period, and the time it took to finalize a rule. These two new proposed rules should not initiate a fire drill, however, it is important for you to understand at a high level what could be coming down the pipeline.
Proposed Rule 1: Cybersecurity Risk Management
Cybersecurity has long been a high priority for the SEC. Advisors and their clients continue to face cybersecurity threats, with cybercriminals becoming “increasingly more sophisticated [in] executing their attacks.” Advisers are relying more and more on technology for trading, custody, pricing research, client data storage, and even compliance, leaving them vulnerable to cyber-attacks. Intrusions can have a large financial and reputational impact on advisors that can be challenging to recover from. The risk to their clients can be massive as well.
There are not currently explicit requirements for SEC registered investment to have cybersecurity policies and procedures. It is implied given an adviser’s capacity as a fiduciary; advisers must put their clients’ best interest before their own, and the Compliance Rule requires that policies and procedures be “reasonably designed” to address and mitigate risk. This newly proposed Rule, 206(4)-9, would require advisers who are registered or required to be registered to implement cybersecurity policies and procedures addressing specific cybersecurity elements, as discussed below.
Policies and Procedures
Under this proposed rule, advisers would be required to have tailored cybersecurity policies and procedures designed to address firm-specific systems and risks along with at least annual testing of those policies and procedures.
Review of these policies must be conducted at least annually, with the expectation to incorporate updates made in technology, cyber-threats, and systems changes. As with the 2020 Cybersecurity Risk Alert about ransomware, the SEC references resources such as the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) and the Department of Homeland Security’s CISA. These sites are helpful in identifying new threats in malware and the most recent scams hackers are using to infiltrate systems.
A summary of the proposed requirements for the policies and procedures include:
- A Risk Assessment
- User security and access
- Policies must have provisions for unauthorized access to minimize user-related risks
- Required standards of behavior and usage
- Authentication of users with at least dual-factor authentication
- Procedures for distribution, replacement, and revocation of passwords and methods of authentication
- Access to systems on an as-needed basis
- Securing remote access technologies used to interface with the adviser information systems
- Information protection and monitoring
- Threat and vulnerability management
- Cybersecurity Incident Response and Recovery
A written risk assessment of cybersecurity risks, updated periodically, with certain required elements would be a required element of the policies and procedures. The elements include:
- Categorize and prioritize cybersecurity risks based on an inventory of the components of an adviser’s information systems, information hosted in those systems, and the potential effect of a cybersecurity incident on the adviser and funds.
- Identify service providers that receive, maintain, have access to, or process adviser or fund information and then identify cybersecurity risks associated with those providers.
What Can You Do Now?
If you have not reviewed your cybersecurity plan recently, take some time to do so. Most importantly, test your plan for reasonableness and document the results including any remedial action taken. As with the annual review, it’s important to document your findings and explain how you addressed, resolved, and updated policies based on the violations you found. If you are not a cybersecurity expert or do not have one in-house, consider hiring a third-party to develop, monitor and test your systems. They should provide you with a written assessment of areas tested, along with a list of vulnerabilities to substantiate reviews for the SEC. Do not underestimate the power of training. The human element is the greatest risk factor to initiating a cyber-attack. A formal discussion or even regular emails to remind employees of the firm’s policies and potential threats is simple and effective in protecting your firm and clients from threats.
Proposed Rule 2: Private Fund Advisers and Documentation of RIA Compliance Reviews
The proposed Private Fund Adviser Rule aims to bring clarity to the private fund space around fees, conflicts, and performance. Private funds manage over $18 trillion in assets under management and are involved in the markets in myriad ways. As Americans have more direct and indirect exposure to private funds through retirement plans, college endowments, non-profits, and high net worth individuals, the SEC identified a need to increase the amount and transparency of information private funds provide to their investors. In their view, this would allow investors to weigh performance, fees, and their general investments in a more apples-to-apples comparison. This rule also includes a somewhat hidden proposal to require for ALL registered investment advisors to document their annual reviews in writing. This is a very important proposed change to the Investment Advisors Act, as currently there is no requirement for the annual review to be written – only a requirement to conduct an annual review. We break down key details of this proposed rule below.
In this proposed rule, private fund advisors registered, or required to be registered, with the SEC must provide quarterly statements to their clients that include information on fees, expenses, and performance distributed within 45 days of each quarter end, unless a quarterly statement that complies with the proposed rule is prepared and distributed by another person. The SEC envisions investors will use the quarterly statements to, “check fees and expenses paid directly or indirectly by the private fund against the private fund’s governing documents.”
Fees and Expenses Disclosure
Within the quarterly statements, certain required fee disclosures could be required, such as details surrounding the fees and expenses paid by the underlying portfolio investments to the adviser or a related person. The information would be required in a table format and would include:
- A detailed accounting of all compensation, fees, and other amounts allocated or paid to the adviser or any of its related persons by the private fund during the reporting period
- A detailed accounting of all fees and expenses paid by the private fund during the reporting period other than those listed above, and
- The amount of any offsets or rebates carried forward during the reporting period to subsequent quarterly periods to reduce future payments or allocations to the adviser or its related persons.
Fund Fees and Expenses:
- A detailed accounting of all fees and expenses paid by the private fund during the reporting period
- Examples include, but are not limited to; organizational, legal, administrative, audit, tax, due diligence, and travel expenses.
Offsets, Rebates, and Waivers:
- All information must be presented both before and after any offsets, rebates, or waivers.
Portfolio Investment-Level Disclosure
- A detailed accounting of all portfolio investment compensation allocated or paid by each covered portfolio investment during the reporting period
- The Fund’s ownership percentage of each such covered portfolio investment as of the end of each reporting period
As proposed, the quarterly report must have an accounting of all adviser compensation and fund fees and expenses for the reporting period, itemized with the total dollar amount for each category. A prominent disclosure would be required explaining how expenses, payments, allocations, rebates, waivers, and offsets are calculated. Within the disclosure, cross references to fund organizational documents would also be required to allow investors to reference relevant sections of funds documents pertaining to fees and expenses.
Along with fees and expenses, the SEC wants more clarity and consistency with performance reporting. With this proposed rule, the SEC aims to give investors tools to evaluate and compare managers more easily. Performance reporting would be broken down into two categories, liquid, and illiquid funds, with different reporting requirements for each fund type.
A liquid fund is defined by the proposed rule as a private fund that is not an illiquid fund, and generally allows periodic investor redemptions, such as monthly, quarterly, or semi-annually. Liquid funds also primarily invest in market-traded securities, except for a de minimis amount of illiquid assets, and determine their NAV on a regular basis.
A liquid fund would be required to report:
- net performance, on an annual basis, for each calendar year since inception,
- average annual net total returns over one-, five-, and ten- calendar year periods, unless certain periods do not exist, and
- cumulative net total return for the current calendar year, as of the end of the most recent calendar quarter.
An illiquid fund is a private fund that (i) has a limited life, (ii) does not continuously raise capital, (iii) is not required to redeem interest upon an investor’s request, (iv) has, as a predominant operating strategy, the return of proceeds from disposition of investments to investors, (v) has limited opportunities, if any, for investors to withdraw before the termination of the funds, and (vi) does not routinely acquire (directly or indirectly) as part of the investment strategy market-traded securities and derivative instruments.
An illiquid fund would be required to show performance as follows:
- gross and net internal rate of return,
- gross and net multiple of invested capital,
- net internal rate of return and net multiple of investment capital,
- gross internal rate of return, and
- gross multiple of invested capital for the realized and unrealized portions of the illiquid fund’s portfolio with realized and unrealized performance shown separately.
All performance must be shown since inception and through the end of the reporting quarter. For both liquid and illiquid funds, the different categories of performance information must be shown with equal prominence with accompanying disclosures. The SEC recognizes the availability of data is not always immediately available for private funds and will allow performance details through the most recent practicable date (most recent or available month end, for example). Illiquid fund data must use investor-called fund capital.
There are other proposed requirements, which can be found here covering more sensitive matters such as prohibited activities on claw backs, fees and expenses, investor liability, borrowing, adviser-led secondaries rule, preferential treatment and the mandatory requirement for private funds to obtain a financial statement audit. Some of the proposed prohibited activities would have significant impact on the current industry, which would ban activities that are part of common practice and within existing contractual arrangements.
What Can You Do to Prepare?
For this one, we say wait and see. It’s quite possible you are already providing your investors with reports, such as audit reports, that will suffice. However, this proposal is still in the comment period, and we suspect there will be significant push back to this proposed rule.
Written Annual Review
Circling back on a comment we made earlier, the SEC is proposing an update to the Compliance Rule requiring a written annual review report. Currently, the Compliance Rule does not require an annual review be written, only that the annual review, no less frequently than annually, review the adequacy of an adviser’s compliance policies and procedures and the effectiveness of their implementation.
What Can You Do Now?
The only way for you to substantiate adherence is through documentation, so even though a written report of your annual review is not currently required, our guess is that most advisors are completing one in writing. If you are not documenting your annual review, now is a good time to start. You can always refer to our E-book on How to Master the Annual Review if you need a place to start or call us, we can help!
Keep in mind, these are just proposed rules, and proposed rules can take time to become final, if at all. With the cybersecurity and written annual review proposals, we identified actionable steps you can take now to better prepare your firm should the proposals be adopted, but to also mitigate your firms’ risks, regardless of requirement. If you are a private fund adviser and feel called to provide your two cents on the proposed private fund rule, you have until April 25th to provide your feedback.