SEC Risk Alert – Observations from Cybersecurity Examinations OCIE Cybersecurity 2 Initiative

By | New in Compliance, Risk Alert, SEC

August 7, 2017:  The U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) has released results of its Cybersecurity 2 Initiative. In this Initiative, National Examination Program Staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The OCIE Cybersecurity 2 Initiative examinations involved more validation and testing of procedures and controls attendant to cybersecurity preparedness than was previously performed in OCIE’s 2014 Cybersecurity 1 Initiative. Read More

SEC Division of Investment Management Issues New Form ADV FAQs

By | New in Compliance, SEC

June 26, 2017:  As reported last year, on August 25, 2016, the U.S. Securities and Exchange Commission (“SEC”) adopted a series of rule amendments that will impact all federally-registered investment advisory firms. Specifically, the SEC is requiring additional Form ADV disclosures for registered investment adviser (“RIA”) firms related to separately managed accounts, social media accounts, types of clients, branch offices, and the use of an outsourced Chief Compliance Officer (“CCO”). The effective date of the new requirements is October 1, 2017. Therefore, any SEC-registered RIA filing an amendment beginning in October 2017, will be required to provide additional information on Form ADV Part 1. Read More

SEC National Exam Program Risk Alert Cybersecurity: Ransomware Alert

By | New in Compliance, Risk Alert, SEC

May 17, 2017:  The SEC just issued a Risk Alert (Cybersecurity: Ransomware Alert) to investment advisers and broker dealers informing them of the targeting of companies by hackers propagating a new and aggressive ransomware. On May 12, 2017, this attack, referred to as WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous organizations across over one hundred countries. The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.

Initial reports indicate that the hackers that perpetrated the attack are gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows Server Message Block version 1 vulnerability.[1] Most significantly, some networks have been affected through phishing emails and malicious websites.

To protect against the WannaCry threat, investment advisers are urged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team[2] and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The Microsoft patches to prevent the infection have been available since March for supported operating systems.  In addition, within 24 hours of the attack, Microsoft had provided the necessary security patch for non-supported Windows XP.  This highlights the need to keep current operating systems and have a disciplined and managed patching strategy.

This latest Risk Alert highlights the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis. SEC staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.

On the broader topic of cybersecurity, OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.  The SEC observed a wide range of information security practices, procedures, and controls across the industry, varying greatly based on registrant operations, lines of business, risk profiles, and enterprise size.

The following observations gleaned from this sweep certainly informed this week’s SEC guidance relative to mitigating the cyber security risk posed by WannaCry ransomware, especially with respect to small and mid-sized registrants:

  • Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
  • System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.  However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The Commission has provided guidance and information that firms must consider when addressing cybersecurity risks and response – https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf .  While not a functional regulator for advisers, FINRA has also provided guidance which is especially useful for smaller enterprises with commensurately smaller cyber risk profiles – http://www.finra.org/industry/cybersecurity.

For the past two years, Horrigan Resources has partnered with an IT specialist to offer cybersecurity risk assessments to our clients. Although each firm presents unique risks and challenges, the overarching themes relative to risk mitigation have been rapid response to red flags, and swift handling of ‘low hanging fruit’. Risk mitigation may entail material capital expenditure over time however the key is to know and triage risk, recognize that cyber risk management is ongoing and continuous, and be proactive.

Not unlike compliance, attaining a secure IT environment is a journey without a destination. Continuous and prudent attention to business risk, awareness of the threat environment, and ongoing employee training and awareness are great starting points to reduce cyber risk. Follow this link for the Risk Alert: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.

May 19, 2017

prepared by Horrigan Resources, Ltd.

www.horriganresources.com

(724) 934-0129

Not customized advice. Not legal advice.

[1] See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017) (“U.S. Cert Alert TA-132A”).

[2] https://www.us-cert.gov/ncas/alerts/TA17-132A

Pay-to-Play Enforcement Actions against Investment Advisers

By | New in Compliance, SEC

April 9, 2017:  The U.S. Securities and Exchange Commission (“SEC”) recently announced that ten investment advisory firms agreed to pay penalties in the tens of thousands of dollars to settle charges that they violated Rule 206(4)-5 (the “Pay-to-Play Rule”) under the Investment Advisers Act of 1940. The SEC charged the firms with receiving compensation for investment advisory services that they provided for managing public pension fund assets within two years of the firms’ covered associates having made prohibited campaign contributions.

In the aftermath of the California and New York pension scandals, the Pay-to-Play rule made it illegal for employees of regulated firms to make contributions to elected officials to influence the awarding of contracts to manage public pension plan assets and other government investment accounts. The presumption is that such practices result in higher fees for inferior advisory services because the advisory contracts are not negotiated at arm’s length.

 

The Rule 

The rule itself is fairly direct … investment advisers registered, or required to register, with the SEC, or which are “exempt reporting advisers” to private funds or venture capital funds, may not receive compensation for providing investment advice to government entities for two years after the adviser or its covered associates make direct or indirect contributions to officials of such governments who are responsible for hiring investment advisers.

A “covered associate” of an investment adviser is defined in Rule 206(4)-5(f)(2) as: (i) any general partner, managing member or executive officer, or other individual with a similar status or function; (ii) any employee who solicits a government entity for the investment adviser and any person who supervises, directly or indirectly, such employee; and (iii) any political action committee controlled by the investment adviser or by any of its covered associates.  The rule also prohibits covered investment advisers or their covered associates from providing or agreeing to provide, directly or indirectly, payment to any person to solicit a government entity for investment advisory services on behalf of an adviser, unless that person is a regulated person as defined by Rule 206(4)-5(a)(2)(i)(A). 

Exemptions
There are three exceptions to the Pay-to-Play Rule wherein covered associates of a firm (not the firm itself) may contribute to current or prospective clients of the firm which are government entities without fear of violating the rule. They include the following:
¨       De minimis contributions: covered associates, who are natural persons, may contribute up to $350 per election to an official for whom that covered associate is entitled to vote, and a maximum contribution of $150 for any other official.
¨       New covered associates: provides an exception for certain covered associates who made a contribution more than six months prior to becoming a covered associate of the current adviser; this exception is not valid for associates that engage in distribution or solicitation activities with a government entity on behalf of the adviser, where in such case, the time-out period is two years.
¨       Returned contributions: an adviser will not be in violation of the rule if the contribution in question is returned to the contributor within the stipulated grace period.  Reliance on this exception is subject to the following additional conditions:
¨       Advisers with more than 150 registered persons may rely on this exemption three times in a calendar year;
¨       Advisers with less than 150 registered persons may rely on this exemption twice a year;
¨       The exemption may only be used once for the same registered person;
¨       The excess contribution is discovered within four months of the initial conveyance to the political office holder/aspirant; and
¨       The contribution is returned to the donor within 60 days of its discovery.

The SEC findings affirmed that ten advisory firms violated the two-year timeout period wherein they accepted advisory fees from city or state pension funds after their covered associates made campaign contributions to candidates or elected officials.  The ten firms were required to pay penalties ranging from $35,000 to $75,000 and forego compensation for two years from such government entities. 

 

Of Interest

Several key factors make these settlements particularly noteworthy and instructive, namely:

  • The contributions in question were small.
  • Several of the advisers charged were only “exempt reporting advisers”.
  • Several of the advisers charged had obtained returns of the prohibited contributions.

The amount of the contributions made in all cited cases was relatively small and in most cases only a few hundred dollars above the permissible limit. A few of the advisers contributed a total of $500, and in one instance a covered associate of the adviser made a contribution $50 over the de minimus limit. Of significant import … there appears to have been no specific indication that these contributions were made as part of a quid pro quo arrangement or attempt to induce an investment by a government entity.

Of the ten enforcement actions, the contributions in question were made to a state governor or candidate for governor in six instances, while in two cases, the contributions were made to the mayor of New York City.  While these political office holders/aspirants fall within the rule’s technical definition of “elected official”, many CCOs find it surprising that the SEC chose to focus its enforcement efforts on donations to such offices to the extent that Pay-to-Play is intended to thwart political contributions to political players who truly influence the awarding of asset management contracts by public funds. Nevertheless, regardless of how tenuous the office holder/aspirant’s connection is to the asset management protocol for a given political jurisdiction, the SEC is making clear that advisers and their covered associates must toe the line as it relates to Pay-to-Play compliance.

These enforcement actions should compel CCOs and covered associates alike to review their Pay-to-Play policies and procedures to avoid penalties and sanctions.

NOT LEGAL ADVICE

Horrigan Resources, Ltd.

Wexford, Pennsylvania                            724-934-0129                   www.horriganresources.com

SEC IM Guidance Update 2017-01 Inadvertent Custody: Advisory Contract versus Custodian Contract Authority

By | New in Compliance, SEC

March 9, 2017:  The law of unintended consequences has struck again … this time its target is the investment advisory community wherein advisers who eschew custody and indeed have written policies which prohibit custody, may in fact retain custody and therefore be noncompliant with U.S. Securities and Exchange Commission (“SEC”) Rule 206(4)-2 pursuant to the Investment Advisers Act of 1940, as amended (“Advisers Act”).

The occurrence of unintended custody is a process wherein the custodian and the client, without adviser participation or direct knowledge, execute a custodian agreement which conveys to the adviser access to client funds. Advisers prohibiting client custody under this scenario are now deemed to have client custody.  If you are such an adviser, the SEC wants you to know that your firm has the obligation to fully comply with Custody Rule 206(4)-2. Read More

SEC IM Guidance Update 2017-02 Robo-Adviser: The New Model on the Block

By | New in Compliance, SEC

March 3, 2017:  The evolution of investment adviser business models to reflect “robo-adviser” services represents a fast-growing trend within the advisory industry.  Initially perceived as a service offering directed to the millennial target market, in an era of rising competition in the asset management industry, this business model is now perceived as having the real potential to be a “win-win” for both advisers and retail investors across the board. The robo-model is rapidly gaining traction with the adviser industry as it provides the means to arrest and possibly reverse compressed fee schedules while introducing significant efficiencies in the business of marketing, developing, and executing invest advice.

As always, there is a catch to the happy-ending, in this case, the SEC and its oversight of all registered investment advisers.  The SEC has been monitoring and engaging with robo-advisers to evaluate how robo-advisers meet their compliance obligations under the Investment Advisers Act.  Additionally, the Commission held a “Fintech Forum” in 2016 that included an informative panel on the robo-adviser evolution. Collectively, these efforts have informed the SEC to the point where the Commission was comfortable issuing IM Guidance Update 2017-02 “Robo-Advisers” in late February 2017, focusing upon the robo-adviser business model and the unique compliance challenges it places upon registered advisers. Read More

The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers

By | New in Compliance

February 7, 2017:  The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) published their latest Risk Alert – “The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers” – which provides interesting insight into the Commission’s 2016 examination results for investment advisers.  We have summarized this alert to apprise our clients of the ongoing regulatory scrutiny to which advisers have become accustomed after many years of SEC oversight.

Worthy of note is that the OCIE continues to find deficiencies and refer for enforcement actions on issues which have been attendant to the regulatory regime since the inception of the Compliance Rule in 2004. One exception to this observation is the topic of custody, where the Staff cites ongoing compliance problems with the custody rule, which was substantially amended in 2010.

Given the ongoing ascendancy of compliance within the client due diligence process, it behooves advisers to take note of these findings and to amend policies, procedures, and internal controls to address these issues. Read More

SEC Announces 2017 Exam Priorities

By | New in Compliance, SEC

January 17, 2017:  The SEC recently announced 2017 exam priorities with an expansion of 2016 exam priorities to include electronic investment advice (aka “robo-advisers”) and a continuation of the ongoing effort to protect senior investors as the Commission continues to focus upon products and sales practices which target senior investors.

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) retains primary responsibility along with the Asset Management Unit for examining federally registered investment advisers which include separate account managers, as well as hedge fund and private equity managers. Additionally, the OCIE examines and inspects investment companies, broker-dealers, transfer agents, clearing agencies, private fund advisers, national securities exchanges, and municipal advisors.

The 2017 priorities also reflect a continuing focus on protecting retail investors, including individuals investing for their retirement, and assessing systemic macro risks posed by products and or business practices. In the words of outgoing Chair Mary Jo White: “These priorities make clear we are continuing to focus on a wide range of issues impacting our markets, from traditional areas such as market-wide risks to new forms of technology including automated investment advice. Whether it is protecting our most vulnerable senior investors or those investing in the trillion-dollar money market fund industry, OCIE continues its efficient and effective risk-based approach to ensure compliance with our nation’s securities laws.” Read More

Risk Alert: OCIE is Scouting Investment Advisory Branch Offices

By | New in Compliance, Risk Alert

December 12, 2016:  The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) announced via Risk Alert its new Multi-Branch Adviser Initiative. The initiative is no surprise given that the 2016 Examination Priorities published in January highlighted OCIE’s interest in examining advisers’ supervisory practices over advisory personnel located in branch offices.

OCIE’s interest is prompted by the fact that advisers are increasingly expanding their geographical footprints, staffing personnel in locations far removed from the adviser’s principal place of business. The Staff is worried about the risks of the “out of sight, out of mind” mentality.

Accordingly, OCIE has launched its Multi-Branch Adviser Initiative to examine advisers operating multiple branch offices to ascertain compliance with federal securities laws in view of the additional and unique risks that arise when operating in this manner. Read More

The OCIE Finds its Voice – and it’s a Whistle

By | New in Compliance, Risk Alert

October 27, 2016:  The U.S. Securities and Exchange Commission (“SEC” or “Commission”) has been proclaiming near and far that its whistleblower program has surpassed $100 million in awards and payments to whistleblowers. Enforcement chiefs have touted the value of the whistleblower program for generating quality leads since the whistleblower rule became effective in 2011.

Advisers and Broker-Dealers Take Note

Well…what exactly does this mean for advisers and broker-dealers? Read More