Recently, the Securities and Exchange Commission (SEC) has been active both in pursuing numerous enforcement actions and launching additional compliance examination initiatives.1 The SEC’s Office of Compliance Inspections and Examinations (OCIE), for instance, is performing presence examinations on newly registered investment advisers,2 has recently announced examination initiatives targeting never-before examined registrants3 and cybersecurity preparedness,4 and is forming a specialized unit of dedicated private funds examiners.5 The following is a summary of recent compliance updates released by the SEC regarding social media and cybersecurity, as well as best practices and practical advice to assist firms in maintaining a compliant business and avoiding deficiencies in the event of an examination.
Social Media and the Testimonial Rule:
The SEC’s Division of Investment Management issued a guid- ance update in March 2014 lessening the impact of the testi- monial rule of the Advisers Act of 1940, as amended (Advisers Act) on the use of social media.6 Pursuant to this newly re- leased guidance, an investment adviser (Adviser) can publish public commentary from an independent social media site (Site) on its own internet or social media site without impli- cating the testimonial rule7 if:
- the Adviser cannot affect which public commentary is in- cluded, how it is presented, commentators’ ability to post, and the Site allows viewing of all public commentary and updates it on a real-time basis;
- the Site provides content that is independent of the Adviser;
- there is no material connection between the Adviser and the Site that would call into question the independence of the site or the commentary on it, such as a payment arrangement or commentary prioritization arrangement (Material Connection); and
- the Adviser publishes all of the unedited comments on the Site regarding itself.
Advisers may do the following without implicating the testimonial rule, subject to some limitations:
- provide a mechanism for sorting the commentary for use by social media users, so long as the Adviser itself does not sort the commentary;
- publish testimonials with a mathematical average of the commentary, so long as the ratings system was not de- signed to elicit pre-determined results, and neither the Site nor the Adviser provide subjective analysis of the commentary;
- refer readers of a newspaper or other print advertisement to a Site that has public commentary, so long as they do not publish the testimonials in the advertisement;
- advertise themselves on a Site with public commentary, so long as a) the relationship is not a Material Connection and b) it is clear that the advertisement is a sponsored state- ment; and
- show lists of contacts or “friends,” so long as there is no im- plication that those contacts have experienced favorable results from the Adviser in the past.
Advisers should avoid the following conduct that may implicate the testimonial rule:
- submitting commentary itself that is included on the Site;
- editing, designating the presentation order, or restricting the publication of all or part of the commentary;
- compensating a person (employee, other supervised person, client or prospective client) in any way to submit testimonials about the Adviser on a Site, and then using those testimonials in an advertisement; and
- referring users to content of a third party community or fan page, or republishing such content in any way.
If Advisers do take advantage of these newly established per- missible social media activities, it is likely that the SEC will carefully review their social media practices during an exami- nation. Also, any Advisers that choose to utilize social media according to these newly published guidelines should modify their procedures to follow the guidance and monitor on an ongoing basis both their performance of those procedures and the Sites they use commentary from.
As indicated by the SEC’s Cybersecurity Roundtable hosted in March, the SEC has begun to view cybersecurity as an integral part of investor protection.8 As part of an ongoing cyberse- curity initiative, the SEC has since announced in a Risk Alert that OCIE will be performing cybersecurity preparedness examinations.9
Who will be examined: over 50 registered broker-dealers and registered investment advisers.
Examination focus areas: OCIE’s examiners will focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access, funds transfer requests, vendors and other third parties, detection of unauthorized activity, and past experiences with cybersecurity threats.
Likely document requests:10
- Policies and procedures related to the following:
- written information security policy and business conti- nuity of operations plan;
- identify any published cybersecurity risk manage- ment process standards the firm has modeled its processes on;
- identify specific practices and controls regarding pro- tection of networks and information that the firm uti- lizes, and provide any relevant policies and procedures regarding those items;
- procedures to verify authenticity of email requests to transfer customer funds;
- policies to address responsibility for losses associated with attacks or intrusions that impact customers;
- policies and procedures and training materials regard- ing information securities procedures for vendors and business partners authorized to access the firm’s network; and
- an affirmation that the firm updated its written su- pervisory procedures to reflect the Identity Theft Red Flags Rules, or an explanation of why they did not.
- Detailed information regarding:
- vendors, business partners and third parties who conduct remote maintenance;
- cybersecurity risk assessments of vendors and part- ners that have access to firm networks, data and sensi- tive information;
- certain practices the firm uses to assist in detecting unauthorized activity on networks and devices, includ- ing how and by whom the practice is carried out;
- information security compliance audits;
- if the firm provides online account access, informa- tion regarding the service provider, functionality of the platform, customer authentication, deletion software, customer PIN security measures and information given to customers regarding reducing cybersecurity threats; and
- whether the firm has experienced certain types of cybersecurity events since January 1, 2013, including information regarding the duration, frequency, and se- verity of such events, as well as the remediation efforts.
How to prepare:
- evaluate and assess your supervisory, compliance and/or other risk management systems, policies, and procedures related to the risk focus areas above and any other cyber- security risks;
- make any appropriate changes to address or strengthen such systems, policies, and procedures; and
- gather documentation of such changes as well as those documents listed above, particularly any relevant policies and procedures.
Additional Areas of SEC Focus; OCIE Examination Practical Tips:
The SEC is not just looking for fraud anymore. This past October, Chair Mary Jo White announced that the SEC has begun to focus on comparatively minor violations,11 emulat- ing New York Mayor Rudy Giuliani’s “broken windows” law enforcement regime. The core theory behind the “broken windows” program is that when minor violations are over- looked or ignored, they can lead to bigger violations.12 Further, in a speech given on May 6, 2014, OCIE Director Drew Bowden confirmed industry rumors that OCIE is forming a special unit of examiners that will focus on examinations of advisers to private funds.13 Following these practical tips may help to avoid some stumbling blocks that the SEC is now much more prone to highlight as deficiencies:
- Carefully follow established valuation methods: Examiners will be looking specifically for indications of cherry-picking and additions of inappropriate items into EBITDA without a rational reason for the change or sufficient disclosure to investors, and changes in the valuation methodology from period to period without additional disclosure where there is no logical reason for the change in methodology. Advisers should use the same valuation methodology that was origi- nally disclosed to investors. If a new methodology is used, advisers should maintain documentation of the reasons behind the decision to use the new methodology and dis- close the new valuation methodology to investors.
- Explicitly detail the division of expenses in your fund docu- ments: Examiners will pay close attention to whether ex- penses are clearly allocated to the fund or to the invest- ment manager/general partner. Examiners focusing on the private fund space will also specifically look for hidden fees coupled with expense-shifting. The SEC has noted a lack of clarity in operative fund documents as to what consti- tutes a fund expense and what constitutes an investment manager/general partner expense, which can lead to defi- ciencies during an SEC examination.
- Evidence a genuine commitment to compliance policies: Examiners will start their analysis by evaluating whether an adviser has appropriate policies and procedures given the size and scope of its operations. Advisers should confirm that their compliance departments have adequate resources and that their compliance policies are reviewed and revised as needed to properly reflect their specific needs.
- Demonstrate a “tone at the top” evidencing a commitment to compliance: Examiners will take a cue from the behav- ior of the people in charge.14 Advisers should ensure that their leadership maintains a pro-compliance “tone at the top” to help avoid enforcement referrals in the event of an OCIE examination.