Category

Risk Alert

SEC Risk Alert: Investment Adviser Compliance Issues Related to the Cash Solicitation Rule

By | New in Compliance, Risk Alert

Risk Alert 

While we were busy handing out candy, the SEC was busy handing out advice! The Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert on October 31, 2018 to provide investment advisers, investors and other market participants with information concerning the most common deficiencies the staff has cited relating to Rule 206(4)-3 (the “Cash Solicitation Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”). The Risk Alert is intended to assist investment advisers in identifying potential issues and adopting and implementing effective compliance programs, and generally pertains to an adviser’s use of third-party solicitors that are subject to the broader requirements of the Cash Solicitation Rule.

Read More

OCIE Risk Alert – Compliance Issues Related to Best Execution by Investment Advisers

By | Blog, Risk Alert

Introduction
On July 11, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing deficiencies observed in their recent examinations of investment advisers’ best execution practices. For years, advisers have been required to obtain and document best execution on behalf of client account, yet firms continue to struggle with sustainable and effective best execution policy and procedure, according to SEC staff.

The Investment Advisers Act of 1940 (“Advisers Act”) establishes a federal fiduciary standard for investment advisers. As a fiduciary with responsibility to select broker-dealers and execute client trades, the adviser has an obligation to seek “best execution” of client transactions, taking into consideration the circumstances of each particular transaction. An adviser must execute securities transactions for clients in such a manner that the client’s total costs or proceeds in each transaction are the most favorable under the circumstances. Read More

SEC Risk Alert – Frequent Fee and Expense Deficiencies in Adviser Exams

By | Blog, New in Compliance, Risk Alert

April 12, 2018:  The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to highlight recurrent deficiencies observed in their recent examinations of investment advisers’ policies and procedures governing client fee and expense assessments. The deficiencies were identified by OCIE while conducting more than 1,500 investment adviser examinations over the past two years.  This Risk Alert emphasizes the importance of advisers’ provision of clear and thorough disclosures in Form ADV and client investment advisory agreements.  The Risk Alert further underscores prior Commission guidance relating to adviser obligations to develop, implement, and test effective risk-based compliance policies to minimize the risk of misrepresentation in client communications and the risk of misappropriation in the management of client assets.

Most Frequent Compliance Issues – Advisory Fees and Expenses 

The following issues were deemed to be significant and prevalent in nature, although they do not constitute all fee and expense-related findings detected by OCIE.

Read More

SEC Risk Alert – Observations from Cybersecurity Examinations OCIE Cybersecurity 2 Initiative

By | New in Compliance, Risk Alert, SEC

August 7, 2017:  The U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) has released results of its Cybersecurity 2 Initiative. In this Initiative, National Examination Program Staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The OCIE Cybersecurity 2 Initiative examinations involved more validation and testing of procedures and controls attendant to cybersecurity preparedness than was previously performed in OCIE’s 2014 Cybersecurity 1 Initiative. Read More

SEC National Exam Program Risk Alert Cybersecurity: Ransomware Alert

By | New in Compliance, Risk Alert, SEC

May 17, 2017:  The SEC just issued a Risk Alert (Cybersecurity: Ransomware Alert) to investment advisers and broker dealers informing them of the targeting of companies by hackers propagating a new and aggressive ransomware. On May 12, 2017, this attack, referred to as WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous organizations across over one hundred countries. The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.

Initial reports indicate that the hackers that perpetrated the attack are gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows Server Message Block version 1 vulnerability.[1] Most significantly, some networks have been affected through phishing emails and malicious websites.

To protect against the WannaCry threat, investment advisers are urged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team[2] and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The Microsoft patches to prevent the infection have been available since March for supported operating systems.  In addition, within 24 hours of the attack, Microsoft had provided the necessary security patch for non-supported Windows XP.  This highlights the need to keep current operating systems and have a disciplined and managed patching strategy.

This latest Risk Alert highlights the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis. SEC staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.

On the broader topic of cybersecurity, OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.  The SEC observed a wide range of information security practices, procedures, and controls across the industry, varying greatly based on registrant operations, lines of business, risk profiles, and enterprise size.

The following observations gleaned from this sweep certainly informed this week’s SEC guidance relative to mitigating the cyber security risk posed by WannaCry ransomware, especially with respect to small and mid-sized registrants:

  • Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
  • System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.  However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The Commission has provided guidance and information that firms must consider when addressing cybersecurity risks and response – https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf .  While not a functional regulator for advisers, FINRA has also provided guidance which is especially useful for smaller enterprises with commensurately smaller cyber risk profiles – http://www.finra.org/industry/cybersecurity.

For the past two years, Horrigan Resources has partnered with an IT specialist to offer cybersecurity risk assessments to our clients. Although each firm presents unique risks and challenges, the overarching themes relative to risk mitigation have been rapid response to red flags, and swift handling of ‘low hanging fruit’. Risk mitigation may entail material capital expenditure over time however the key is to know and triage risk, recognize that cyber risk management is ongoing and continuous, and be proactive.

Not unlike compliance, attaining a secure IT environment is a journey without a destination. Continuous and prudent attention to business risk, awareness of the threat environment, and ongoing employee training and awareness are great starting points to reduce cyber risk. Follow this link for the Risk Alert: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.

May 19, 2017

prepared by Horrigan Resources, Ltd.

www.horriganresources.com

(724) 934-0129

Not customized advice. Not legal advice.

[1] See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017) (“U.S. Cert Alert TA-132A”).

[2] https://www.us-cert.gov/ncas/alerts/TA17-132A

Risk Alert: OCIE is Scouting Investment Advisory Branch Offices

By | New in Compliance, Risk Alert

December 12, 2016:  The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) announced via Risk Alert its new Multi-Branch Adviser Initiative. The initiative is no surprise given that the 2016 Examination Priorities published in January highlighted OCIE’s interest in examining advisers’ supervisory practices over advisory personnel located in branch offices.

OCIE’s interest is prompted by the fact that advisers are increasingly expanding their geographical footprints, staffing personnel in locations far removed from the adviser’s principal place of business. The Staff is worried about the risks of the “out of sight, out of mind” mentality.

Accordingly, OCIE has launched its Multi-Branch Adviser Initiative to examine advisers operating multiple branch offices to ascertain compliance with federal securities laws in view of the additional and unique risks that arise when operating in this manner. Read More

The OCIE Finds its Voice – and it’s a Whistle

By | New in Compliance, Risk Alert

October 27, 2016:  The U.S. Securities and Exchange Commission (“SEC” or “Commission”) has been proclaiming near and far that its whistleblower program has surpassed $100 million in awards and payments to whistleblowers. Enforcement chiefs have touted the value of the whistleblower program for generating quality leads since the whistleblower rule became effective in 2011.

Advisers and Broker-Dealers Take Note

Well…what exactly does this mean for advisers and broker-dealers? Read More