According to a report released last week by the New York Department of Financial Services (NYDFS), the financial industry has a long way to go in overseeing the cybersecurity capabilities of outside vendors who carry out critical banking functions.
Last week’s report follows a year of activity on that front. In a May 2014 report, the NYDFS concluded—based on a survey of over 150 banks—that the financial industry’s increasing reliance on third-party vendors could create critical cybersecurity risks. Following that report, the NYDFS conducted a second survey of 40 banks concerning how they address cybersecurity with respect to third-party vendors. The second survey resulted in last week’s report. As a result of its findings, the NYDFS is considering new regulation that would impact financial institution oversight of third-party vendors.
THE NYDFS REPORT’S FINDINGS REGARDING VENDORS AND CYBERSECURITY
Last week’s report on vendors focused on four critical areas:
1. due diligence processes;
2. policies and procedures governing relationships with third-party vendors;
3. protections for safeguarding sensitive data; and
4. protections against loss incurred by third-party failures.
According to the report, almost every institution surveyed conducted risk-based due diligence on vendors, classifying vendors with access to sensitive data as high-risk, and conducting cybersecurity risk assessments on those vendors. In addition, 90 percent of surveyed institutions require vendors to comply with cybersecurity standards. However, fewer than half of the institutions surveyed required on-site due diligence of vendors: only 46 percent required initial on-site due diligence of potential vendors; and even fewer—35 percent—required periodic on-site due diligence of even those vendors classified as high-risk.
A more complete analysis of the report can be found in our client alert, available here.
The SEC’s Office of Compliance Inspections and Examinations in a Risk Alert dated April 20, 2015, announced a program targeting investment companies that have never been examined for focused, risk-based compliance examinations. OCIE’s “Never-Before Examined Investment Company” (NBE IC) Initiative, which is part of OCIE’s National Examination Program, will focus on higher-risk areas of concern to the SEC.
The Risk Alert states that the NBE IC Initiative will focus on open-end funds, closed-end funds, and underlying insurance funds, particularly those complexes that launched one or more years ago. Key areas of focus include:
- A fund’s Rule 38a-1 compliance program (and the related Rule 206(4)-7 compliance programs adopted by a fund’s adviser). OCIE likely will focus on:
- proxy voting policies for both portfolio holdings and fund shares;
- timeliness and accuracy of the registration statement and other required filings; and
- codes of ethics
- Annual contract reviews under Section 15(c). The review of advisory and sub-advisory contracts will assess:
- the adequacy of the board’s determination that fees are fair and reasonable (see our related blog post); and
- how the adviser manages conflicts of interest with respect to a fund and the fees received from that fund.
- Advertising and distribution. OCIE is perennially interested in this subject, and the NBE IC initiative will include a review of advertisements and distribution policies to ensure that:
- Advisers have established a process in place to review and approve advertisements;
- Funds have established adequate procedures to ensure that shareholders receive disclosed breakpoints.
- Valuation and NAV calculation. OCIE staff notes that funds are required to calculate their NAV daily, and that such calculation is driven by the valuation of portfolio assets. OCIE staff intends to review policies and procedures related to valuation and the calculation of NAV and, importantly, a fund board’s processes for overseeing the valuation of portfolio holdings.
- Leverage and derivatives. Although much about the SEC’s views on investment company use of derivatives and leverage is in a state of flux, OCIE continues to focus on these areas as a priority in examinations. Accordingly, funds should be prepared to provide information related to:
- compliance with the asset coverage requirements of Section 18;
- policies for segregating assets to cover exposure; and
- adequacy of registration disclosures concerning use of derivatives, leverage, and related risks.
OCIE effectively has delivered NBE ICs a syllabus for their upcoming exams. Registered funds that have not yet been examined by OCIE staff should carefully review the Alert and update their policies and procedures in anticipation of an imminent compliance exam.
The SEC sanctioned a registered investment adviser for breaching its fiduciary duty by failing to disclose to its clients a conflict of interest created by a portfolio manager’s outside business activity and personal investments. The SEC found that the firm violated, among other things, Rule 206(4)-7 under the Advisers Act, which requires registered investment advisers to adopt written compliance policies reasonably designed to ensure that the adviser does not violate the federal securities laws.
The SEC also found that:
- The firm caused certain affiliated mutual funds to violate Rule 38a-1 under the 1940 Act, which imposes similar requirements to adopt written compliance policies on registered funds; and
- The firm’s CCO caused the firm and its affiliated funds to violate the compliance rules.
According to the SEC, the portfolio manager managed funds and accounts that invested in the energy sector and, while employed by the firm, the portfolio manager established a family-owned business that operated in the energy sector. Over time, that business formed a joint venture that became the largest holding in the funds and accounts managed by the portfolio manager. Importantly, the portfolio manager’s compensation included a portion of the investment management fees earned on the funds and separate accounts that he managed.
Although the firm had a policy related to private investments by firm personnel, and the formation of the family-owned business was not consistent with that policy, the SEC found that the firm did not take any action to address that compliance breach when it was discovered. Moreover, the firm failed to disclose to the boards of affiliated funds and other clients that there had been a material compliance violation. The SEC said that this violated the firm’s fiduciary obligation to eliminate the conflict of interest created by an outside business activity or to disclose it to the boards of affiliated funds and other advisory clients. By failing to do so, the SEC said, the firm “deprived its clients of their right to exercise their independent judgment to determine whether the conflict might impact portfolio management decisions.”
The SEC also found that, by failing to report a material compliance matter to the board of certain affiliated funds, the firm caused such funds to violate Rule 38a-1. The firm and the CCO were found to have “denied the funds’ boards critical compliance information alerting them to [the] outside business interests.”
The firm was fined $12 million, and the CCO was fined $60,000. In addition, the firm was required to retain an independent compliance consultant.
In light of this action, firms should evaluate whether their compliance policies are, in fact, “reasonably designed” to ensure compliance with the federal securities laws. In particular, firms should ensure that they have adopted policies related to outside business activities by key employees and that such policies reflect how the firm will assess, mitigate and monitor any conflicts of interest presented by outside business activities.
CCOs should also be cognizant that the SEC believes the obligation to design procedures for monitoring and assessing, on an ongoing basis, any identified conflicts of interest lies squarely on the shoulders of the CCO. Failure to do so may result in a CCO causing a firm to violate its obligations under the compliance rules. Once again, it appears the SEC is signaling that the role of the CCO as gatekeeper is not one to be undertaken lightly.
The SEC’s Division of Investment Management on April 3, 2015, said that it will not recommend enforcement proceedings against an investment adviser that structures a three-tier fund allowing certain funds to invest in a “Central Fund” established to create operational efficiencies.
Under the proposed structure, the investment adviser will establish a fund of funds that invests in shares of other funds in the same complex that, in turn, invest assets in a Central Fund. Ordinarily, this arrangement would violate the antipyramiding provisions of Section 12(d)(1) and 17(a) of the 1940 Act, which were designed to prevent potential abuses of control, fee layering, and investor confusion.
The staff said that it would not recommend an enforcement action under the following conditions:
- Shares of the Central Fund would only be sold to other funds within the same complex for reasons of efficient portfolio management;
- The underlying funds’ manager will waive the management fees otherwise payable by the underlying funds in an amount equal to any management fees paid by the Central Fund;
- Shares of the Central Fund would not be subject to a sales load, redemption fee, or distribution fee;
- The underlying funds would have to otherwise comply with Section 12(d)(1)(G) of the 1940 Act; and
- An underlying fund cannot invest more than 5 percent of its assets in the Central Fund, or more than 10 percent of its assets in investment companies, generally.
The staff also required the boards of each fund of fund and underlying fund that invests in the Central Fund (including a majority of the disinterested board members) to consider (i) the reasons for the underlying fund’s proposed investment in the Central Fund, and (ii) the benefits expected to be realized from the investment by the fund of funds or the underlying fund, and by their shareholders.
Fund compliance policies and procedures should address the receipt of gifts or entertainment by fund advisory personnel, according to guidance published by the SEC’s Division of Investment Management.
Section 17(e)(1) of the Investment Company Act of 1940 (1940 Act) generally prohibits first-tier or second-tier affiliates of a registered fund, acting as agent, from accepting from any source any compensation (other than regular salary or wages from the registered fund) for the purchase or sale of any property to or for the registered fund, except in the course of the person’s business as an underwriter or broker. The staff noted that fund advisory personnel are second-tier affiliates of a fund, and that they generally act as agents of a fund. Thus, for example, fund portfolio managers who accept gifts or entertainment from a broker-dealer in connection with the purchase or sale of a fund’s portfolio securities, would violate Section 17(e)(1).
Courts have held that the mere receipt of compensation is enough for a violation of Section 17(e)(1); a showing of intent to influence the actions of a fund or economic injury to the fund is not required. There is no de minimis exception. To violate the section, however, there must be some nexus between the compensation received and the property bought and sold.
The staff guidance states that funds should address compliance with Section 17(e)(1) in their compliance programs adopted and implemented pursuant to Rule 38a-1 under the 1940 Act. The staff noted that a fund’s and an adviser’s policies and procedures related to gifts and entertainment may vary (e.g., blanket bans or preclearance mechanisms), and will depend on the nature of the business. Moreover, the staff reminded funds and their boards that fund compliance policies must provide for oversight of fund service providers, including investment advisers. Thus, fund compliance officers should seek to ensure that the adviser’s compliance policies and procedures appropriately address the receipt of gifts and entertainment by fund advisory personnel.
In testimony before the House Committee on Financial Services on March 24, 2015, SEC Chair Mary Jo White said that she supports a uniform fiduciary standard of conduct for broker-dealers and investment advisers that provide personalized securities advice to retail customers. She detailed plans for rules concerning enhanced risk monitoring and regulatory safeguards for asset managers.
Uniform fiduciary standard
White testified that she asked the SEC staff to develop rulemaking recommendations for the SEC to consider, taking into account the SEC staff recommendations contained in a 2011 report to Congress on this issue, and the views of other interested persons. She cited three challenges that the SEC faces in adopting rules:
- How to define the standard. White said she favors a principles-based approach rooted in fiduciary duty applicable to investment advisers.
- How to provide clear guidance on what the standard would require. This guidance would address how current business practices can or cannot continue under the new standard.
- How to provide meaningful application, examination and consistent enforcement of a new uniform standard. Central to this challenge, she explained, is extending examination coverage for registered advisers.
The basis of the regulatory initiative is Section 913 of the Dodd-Frank Act Wall Street Reform and Consumer Protection of 2010, which granted the SEC authority to impose a uniform standard of conduct for broker-dealers and investments that provide personalized investment advice. Section 913 required the SEC to report to Congress on its recommendations, which the SEC submitted in 2011.
Risk monitoring and regulatory standards
Separately, White said that under the authority of Section 965 of the Dodd-Frank Act, the Division of Investment Management established a new risk and examinations office (REO). She said that REO is developing recommendations for the SEC to “modernize and enhance data reporting for both funds and advisers.” Among other things, the initiative would:
- Update the reporting of basic fund census information;
- Enhance reporting of fund investments in derivatives, liquidity valuation of holdings and securities lending practices; and
- Collect more information on separately managed accounts.
White said that the Division of Investment Management is also considering whether the SEC should require enhanced risk management programs for mutual funds and exchange traded funds (ETFs), to address risks related to liquidity and use of derivatives, and to enhance the SEC’s oversight of these activities. In particular, she said that the Division is reviewing options for:
- Updated liquidity standards;
- Disclosure of liquidity risks;
- Measures to limit leverage through use the of derivatives;
- “Transition plans” to prepare for the winding down investment advisers’ businesses; and
- Annual requirements for stress testing by investment advisers and funds.
White also addressed other issues on the SEC’s agenda, including issuer disclosure and capital formation; trading and markets; economic analysis, risk assessment and data analytics; and enforcement. See MoFo’s Thinking Capital Markets blog concerning “Chair White’s Testimony on SEC Initiatives,” available here.
Both the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) have recently issued guidance to broker-dealers on cybersecurity, providing valuable resources for them and for registered investment advisors to combat the growing threat of cyber-attacks. The two reports should provide the tools and information needed by those broker-dealers who have put off focusing on cybersecurity to strengthen their data protection capabilities. Broker-dealers would do well to read these reports in full and then apply their useful industry intelligence toward improving their systems and procedures.
As demonstrated by recent high-profile data breaches, such disruptions can have financially devastating and long-term consequences for companies of all types. Fortunately, both of these reports contain vital information for firms interested in effectively protecting their customers’ private information. By examining particular firms’ cybersecurity practices, the reports provide others with the opportunity to bolster their information-security policies to match the industry leaders, most critically in the following areas: responding promptly to cyber-attacks; cultivating a culture of compliance from the senior level down; training internal staff and outside vendors on information security, and purchasing cybersecurity insurance. With the benefit of these resources and others, firms might find that the job is not as daunting as they feared.
To read the full report, click here.