New York, November 3, 2022
Registered Investment Advisers (“RIAs”) are subject to books and records required of under Rule 204-2 of the Investment Advisers Act of 1940 (the “Recordkeeping Rule”). In addition, Rule 206(4)-7 requires implementing policies and procedures reasonably designed to prevent violation by your supervised persons of the Advisers Act and the rules adopted by the Securities and Exchange Commission (“SEC”). These tenants are rapidly evolving as the SEC develops and implements amendments to its rules and regulations.
The compliance landscape is evolving rapidly. As the landscape evolves, so should your compliance program. Below, Centaur’s team outlines two regulatory items of immediate concern:
Recordkeeping Enforcement Actions - "Off Channel" Communication Retention Failures
On September 27, 2022, the SEC announced charges against 16 firms in connection with comprehensive and persistent failures in maintaining and archiving electronic communications. The firms consisted of 15 broker-dealers and one affiliated investment adviser. The firms agreed to pay penalties in excess of $1.1 billion. While the broker-dealers were primarily charged with violating Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder, the affiliated investment adviser was charged with violating Section 204 of the Advisers Act and Rule 204-2(a)(7) thereunder. Rule 204-2(a)(7) requires the archival of certain communications such as:
- Any recommendation made or proposed to be made and any advice given or proposed to be given;
- Any receipt, disbursement or delivery of funds or securities; and
- The placing or execution of any order to purchase or sell any security;
The SEC noted that the affiliated investment adviser also failed to supervise its employees to prevent or detect certain employees from using off-channel communications. In conducting periodic electronic communications review, RIAs should craft an appropriately tailored query designed to uncover instances of (or references to) off-channel communications. If such instances are uncovered, there should be a concentrated effort to implement archival procedures for the off-channel communication, train personnel on the requirements of preserving electronic communications, and review the framework of addressing instances of non-compliance. Addressing non-compliance should ultimately include identifying which personnel violated firm policy, the imposition and consistent application of penalties, and remedial actions. In resolving their non-compliance, the charged firms agreed to retain compliance consultants to addresses the widespread issues.
SEC Proposed Cybersecurity Risk Management Rules
On February 9, 2022, the SEC proposed rule 206(4)-9 under the Advisers Act which is intended to institute a requirement that RIAs implement cybersecurity policies and procedures comprising of the following components.
- Risk Assessment
- User Security and Access
- Information Protection
- Threat and Vulnerability Management
- Cybersecurity and Incident Response and Recovery
Along with the required items above, the proposed rules would require RIAs to review their cybersecurity policies and procedures annually, culminating in a written report. The report should consider both the effectiveness of the policies and whether the policies have been appropriately tailored to an adviser’s cybersecurity risks over the relevant period. In proposing these requirements, the SEC acknowledges that a cybersecurity expert may be a necessity in drafting a proper review; however, adviser personnel should be involved so that an organizational perspective is involved.
Proposed Rule 204-6 also creates Form ADV-C which would require RIAs to report significant cybersecurity incidents. Form ADV-C must be filed within 48 hours of the detection of the incident. A significant cybersecurity incident is defined as, “a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, where the unauthorized access or use of such information results in: (1) substantial harm to the adviser, or (2) substantial harm to a client, or an investor in a private fund, whose information was accessed.” Form ADV-C would also require amendments to provide updates regarding the cybersecurity incident if any previously reported information becomes materially inaccurate or if new material information is uncovered.
While the proposed rule has yet to be adopted, advisers should begin considering their cybersecurity program and sophistication. Conducting a cybersecurity review in advance of the rule’s adoption would be a prudent course of action. Some review items to consider include:
- Vulnerability Scanning and Assessments
- Cybersecurity Training
- Access Logging and Controls
- Backup and Recovery Systems
- Vendor Due Diligence
- External Penetration Testing
- Incident Management
In conclusion, an appropriately tailored compliance program requires vigilance and commitment. At Centaur, our goal is to protect you and your firm as your trusted partner. We are pointing these issues out to you because the compliance landscape is evolving rapidly. As the landscape evolves, so should your compliance program.
Over the course of 2023, we plan on tracking further developments to keep our readers informed. To join our mailing list, send an email to firstname.lastname@example.org