Articles Tagged with SEC

Published on:

Threats go way beyond simple theft of client information — Can you fend off a big heist?

Recently, the government identified hedge funds as a “weak link in the U.S. financial system’s defense against hackers and terrorists.” The messenger was no less than John Carlin, head of the Justice Department’s National Security Division, speaking at this year’s annual SALT hedge fund conference in Las Vegas. Since then, there have been reports that some of the biggest names in asset management and banking were affected by cyber-attacks. It is, in fact, a Who’s Who of asset managers, banks, and brokers.

This February, the SEC’s summary of its cybersecurity sweep has revealed that over three-quarters of the 100 brokers and advisers examined were subject to cyber-attacks, directly or through third-party service providers, even though upward of 80% of broker and adviser firms have implemented cybersecurity policies. The SEC followed up with guidance in April, making it clear that it intends to conduct more exams of advisers. These exams will be “more substantial,” with longer onsite visits and sit-down meetings with senior management.

Yet for all the heartburn caused by these SEC examinations, they seem to be only scratching the surface when it comes to the types of cyber-threats confronting hedge funds.

The SEC notes that it is focusing on protecting “client assets” by reviewing security measures such as password storage and the vetting of third parties. Those kinds of questions and exam goals indicate that the SEC is mostly interested in protecting against the theft of client data and information. But those are by no means the only potentially damaging threats faced by investment advisers nor are they the only ones that can impact investor assets.

As Carlin pointed out in his comments, hedge funds are a particularly desirable target for criminal cartels, foreign governments, and militaries around the world, basically anyone seeking profit, disruption in financial systems, or both. Hedge funds have valuable and vast assets, including their trading strategies and trades, as well as algorithms, in addition to those the SEC is worried about. Hedge funds are also easier to hack than banks, which have recently reinforced their cybersecurity defenses and, unlike most hedge funds, have teams available to handle the threats.

All hedge fund managers and investment advisers should therefore question how effective their cybersecurity controls are in light of the following real threats posed by cyber-criminals:

  • Hacking and stealing your strategy and algorithms. They will use your own and your employees’ handheld and portable devices, social media posts, and blogs, for phishing and otherwise hacking your internal systems. They will use high-frequency trading algorithms to steal your proprietary trade information in order to front-run you or otherwise engage in manipulative trading. They will steal and use your algorithms to replicate your strategy.
  • Blackmailing and extortion. They will hack and encrypt your data, and blackmail you for payment in return for your data. The Department of Justice is reportedly working with several hedge funds on just such cyber-extortion cases, as Carlin remarked.
  • Corrupting your data and crippling your trading process: They will use a form of malware that will intentionally distort or change data, making information unreliable at best or useless at worst. Perhaps even worse, the corruption of proprietary algorithms used to make investment decisions could go unnoticed for some time. In that event, advisers and their clients face losses, regulatory action, and reputational damage following the disclosure – likely mandatory — of such an incident.
  • Wiping your data: Perhaps the most dreaded of all attacks: hackers have repeatedly demonstrated their ability to literally wipe servers clean of data. Victims are left scrambling to reconstruct files either from scattered data backups or even paper records. This process is extremely laborious and time- consuming, and is not guaranteed in any way to completely restore records. In fact, this type of event is virtually guaranteed to put a broker/dealer or investment adviser out of business, as the reputational damage alone will likely be catastrophic.
  • Disrupting your operations: Too many companies take for granted the availability of their information technology systems. And, when those systems fail, managers tend to assume a technical fault that can be resolved quickly. As the cyber-attack on Sony Pictures proved, however, any company can be paralyzed by the deliberate introduction of malware, which also happened in 2013 to a large hedge fund. A well-crafted attack can render a company unable to do business for months at a time. Unfortunately, the tools and skills needed to conduct such an attack against you are readily available across the globe.

The key takeaway is this: just focusing on making sure hackers don’t break into accounts to steal investor information is not enough. There are many other ways hackers can wreak havoc, and the financial industry has to be prepared to respond to that wide variety of scenarios.

Stay tuned for our article on tips to prevent, detect and respond to cyber-attacks.

Ildiko Duckor is a partner and co-head of Pillsbury Winthrop Shaw Pittman LLP’s Investment Funds and Investment Management Practice. She specializes in hedge funds. She can be reached at ildiko.duckor@pillsburylaw.com or 415-983-1035.

Brian Finch (@BrianEFinch) is a partner in Pillsbury Winthrop Shaw Pittman LLP’s Government Law & Strategies Practice. He specializes in cybersecurity. He can be reached at brian.finch@pillsburylaw.com or 202-663-8062.

Published on:

The Securities and Exchange Commission (SEC) today proposed rules, forms and amendments to modernize and enhance the reporting and disclosure of information by investment advisers and investment companies.

Investment advisers. The investment adviser proposed rules would amend the investment adviser registration and reporting form (Form ADV), and Investment Advisers Act Rule 204-2. On Form ADV, the proposed rules would require investment advisers to provide additional information for the SEC and investors to better understand the risk profile of individual advisers and the industry. Investment advisers would be required to report, among other things, detailed information about their separately managed accounts, including assets under management and types of assets held in the accounts. The proposed amendments to Investment Advisers Act Rule 204-2 would require advisers to maintain records of performance calculations and communications related to performance.

Investment companies. The investment company proposed rules would enhance data reporting for mutual funds, ETFs and other registered investment companies.  The proposals would require a new monthly portfolio reporting form (Form N-PORT) and a new annual reporting form (Form N-CEN) that would require census-type information.  The information would be reported in a structured data format, which would allow the SEC and the public to better analyze the information.  The proposals would also require enhanced and standardized disclosures in financial statements, and would permit mutual funds and other investment companies to provide shareholder reports by making them accessible on a website.

Highlights of the investment adviser and investment company proposals are available HERE.

The SEC is requesting for comments which should be submitted to be received within 60 days from publication of the proposed rules in the Federal Register.

Published on:

By

The expense provisions of many private fund governing documents are becoming longer and more detailed for good reason – increased Securities and Exchange Commission (SEC) scrutiny and prosecution relating to expense allocation and disclosure.

On April 29th, the SEC announced charges against Alpha Titans LLC, a hedge fund advisory firm, its principal, Timothy P. McCormack and its general counsel, Kelly D. Kaeser, for improper use of fund assets to pay expenses that were not previously disclosed to fund investors. According to the SEC, office rent, employee salaries and benefits and other expenses totaling more than $450,000 were paid by two affiliated private funds without adequate disclosure or authorization. The SEC further alleged that Alpha Titans, McCormack and Kaeser sent investors audited financials that did not disclose that approximately $3 million of expenses pertained to transactions involving affiliates of McCormack.

According to the SEC, the funds’ outside auditor, Simon Lesser, was aware of the manner in which expenses and assets were allocated, yet approved audit reports containing unqualified opinions that the financial statements were presented fairly. He was charged with engaging in improper professional conduct in connection with an audit of the funds’ financial statements. The advisory firm also was charged with custody rule violations relating to its distribution on non-GAAP-compliant financial statements.

All of the charges were settled without admission or denial of responsibility; however, not without significant cost. McCormack and Kaeser will be barred from the securities industry for one year and Kaeser will be unable to represent an SEC-regulated entity for one year. Lesser will be suspended from providing accounting services on behalf of an entity regulated by the SEC for at least three years. Substantial monetary penalties also were assessed and the advisory firm and its principal agreed to pay disgorgement and prejudgment interest.

The lesson for private funds, their advisers and outside auditors is simple. First, fund documents should clearly, accurately and thoroughly disclose the types and amounts of expenses to be charged to the fund or its investors. Second, fund managers must allocate expenses and use fund assets strictly in accordance with the relevant provisions in the fund documents. Finally, outside auditors must be diligent in reviewing expense allocations and the use of fund assets to determine compliance with fund documents.

There should be no doubt that the risk of non-compliance is real.

Published on:

The Division of Investment Management (the “Division”) of the Securities and Exchange Commission issued a cybersecurity guidance identifying cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue. Recognizing the rapidly changing nature of cyber threats and consequently, the necessity for funds and advisers to protect sensitive information including information of fund investors and advisory clients, the Division is suggesting a number of measures that funds and advisers may wish to consider in addressing the issue. To mitigate cybersecurity risk, the Division suggests that funds and advisers: 1) conduct a periodic assessment of their technology system and security controls and processes to identify potential cybersecurity threats and vulnerabilities, 2) create a strategy that is designed to prevent, detect and respond to cybersecurity threats, and 3) implement the strategy through written policies and procedures, training of officers and employees, and investor and client education. In addition, the Division also suggests that funds and advisers may wish to consider reviewing their operations and compliance programs whether they have measures in place that mitigate their exposure to cybersecurity risk, as well as assessing whether protective cybersecurity measures are in place at service providers that they rely on in carrying out their business operations.

A full version of the cybersecurity guidance is available HERE.

Please call an Investment Funds and Investment Management attorney with your inquiries regarding your firm’s cybersecurity risks and compliance procedures that address them.

Published on:

By

In a February 2015 Guidance Update, the Securities and Exchange Commission’s Division of Investment Management (“SEC”), provided guidance on the acceptance of gifts or entertainment by fund advisory personnel under Section 17(e)(1) of the Investment Company Act of 1940 (the “Act”). Section 17(e)(1) provides that any affiliated person of a registered investment company, or any affiliated person of such person acting as agent, is prohibited from receiving any compensation, outside of regular salary or wages, for the purchase or sale of any property to or for the registered company or any controlled company thereof. The SEC has found that gifts or entertainment meet the definition of “compensation” as it is used in Section 17(e)(1), and proof of any intended or actual influence is not required. Pursuant to Rule 38a-1 of the Act, a fund must implement written policies and procedure designed to prevent the fund and its service providers from violating securities laws. The Guidance Update suggests that the policies and procedures concerning the receipt of gifts or entertainment should be included in the fund’s compliance policies and procedures, though it defers to the fund to determine whether there should be an outright ban, or a type of pre-clearance to determine if the gift or entertainment would violate Section 17(e)(1).

Published on:

By

The Securities and Exchange Commission (“SEC”) issued a cease-and-desist order on February 19, 2015 against SEC-registered Logical Wealth Management, Inc. and owner, Daniel J. Gopen, (together, “Respondents”).  The list of violations the SEC found the Respondents committed is extensive and includes improper registration, compliance, and recordkeeping. The SEC found the Respondents exaggerated their assets under management in order to register with the SEC, falsely reported their place of business as Wyoming, a state in which advisers are not regulated, and did not have compliance policies and procedures in place or books and records available to the SEC.  The SEC has ordered the Respondents to cease and desist, revoked Logical Wealth’s registration, barred Mr. Gopen from any advisory activity and imposed a $25,000 civil penalty.

Published on:

We want to remind you of your firm’s annual investment adviser registration amendment (Form ADV annual amendment) which must be filed on the IARD system on or before March 31, 2015.  This deadline applies to all SEC and State registered advisers as well as Exempt Reporting Advisers (ERAs) with a December 31, 2014 fiscal year end.

Please let us know as soon as you can if you need our assistance in preparing and submitting your Form ADV annual amendment filing this year.

Also, for SEC registered advisers and ERAs, please note that your annual IARD fee must be paid before you can submit your annual amendment.  The fees are based on your firm’s regulatory assets under management as follows:

Regulatory Assets
Under Management
Initial
Registration Fee
Annual Updating
Amendment Fee
$100 million or more $225 $225
$25 million to $100 million $150 $150
Less than $25 million $40 $40
SEC Exempt Reporting Adviser $150 $150

To view FINRA’s current IARD Account Payment Methods and Addresses, please click HERE.

If you or your compliance officer is handling your Form ADV filing and you would like us to review your drafts, please feel free to contact us also.

Published on:

By

The Securities and Exchange Commission (“SEC”) charged Charles L. Hill Jr. with insider trading in connection with his purchase of shares of Radiant Systems stock the day before a merger was announced. Mr. Hill became aware of the material non-public information through a friend who obtained the information from his close friend, the Radiant COO. Mr. Hill had made no equity purchases in over four years before buying $2.2 million of Radiant stock before the announcement. The day after the merger was announced Mr. Hill sold his entire equity interest for a profit of approximately $744,000. In the eyes of the SEC, trading on material nonpublic information learned from a third party is no different from trading on information received directly from an insider.

Published on:

By

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) recently released its annual examination priorities.  In 2015, OCIE will focus on three primary “themes” involving broker-dealers, investment advisers and transfer agents:

  1. Retail Investors – OCIE will look at important matters for retail investors and investors preparing for retirement including whether the products, advice, services and information being offered to them is consistent with current laws, rules and regulations;
  2. Market-Wide Risks – this is a broad theme which focuses on structural risks and trends involving whole industries or multiple firms; and
  3. Data Analytics – OCIE continues to increase its ability to analyze large amounts of data to identify registrants that may be conducting illegal activity.

Retail Investors – Advisers to retail investors and investors saving for retirement will be scrutinized by the SEC in 2015. The OCIE will assess fee selection where the adviser offers a variety of fee arrangements as well as reverse churning. Further, where advisers recommend moving retirement assets from employer-sponsored plans into other investments or accounts, OCIE will examine whether the sales practices used were improper or misleading. OCIE will also be reviewing the suitability of complex or structured products and higher yield securities and how well representatives in branch offices are being supervised by the home office.  The SEC may have an interesting opportunity to demonstrate whether it is serious in going after those who target seniors.

On February 5, 2015, SEC Commissioner Luis A. Aguilar and Investor Advocate, Rick A. Fleming, gave speeches at The American Retirement Initiative Winter Summit about advocating for investors saving for retirement and protecting elderly investors from financial exploitation.

Under the umbrella theme of “retail investors,” the OCIE will be assessing alternative investment companies and the focus of the exams will be (i) liquidity, leverage and valuation; (ii) the way the funds are marketed; and (iii) the internal controls, staffing, funding and empowerment of boards, compliance and back-offices. Mutual funds with material exposure to interest rate increases will be reviewed by OCIE to ensure they have the appropriate compliance policies and procedures and trading and investment controls in place to prevent their disclosures from being misleading and to be sure their investment and liquidity profiles are consistent with the fund’s disclosures.

Assessing Market-Wide Risks – The OCIE will focus in 2015 on structural risks and trends that involve whole industries or multiple firms. In collaboration with the Division of Trading and Markets and the Division of Investment Management, the OCIE will monitor the largest asset managers and broker-dealers. Through a risk-based approach, the OCIE will conduct annual examinations of all clearing agencies that have been designated systemically important. Furthering the OCIE’s 2014 efforts to examine the cybersecurity preparedness of registrants, 2015 will see a continuation of the initiative and an expansion of the initiative to include transfer agents. OCIE will also be looking into whether firms are giving priority to trading venues due to credits or payments for order flow, thus violating their best execution duties.

Data Analytics – The OCIE has made strides in developing data analytics that it can use to identify and examine firms and other registrants that may be engaged in fraudulent or illegal activity. The examination initiatives the OCIE will be using data analytics to examine include recidivists, microcap fraud, excessive trading and anti-money laundering.

Other Initiatives – Along with the primary themes discussed above, the SEC will continue to examine never-before examined investment advisers and newly registered municipal advisers. Advisers to private equity funds can expect to have their fees and expenses examined as a result of OCIE’s observed high rates of deficiencies. In addition to examining proxy advisory service firms, OCIE will also look at investment advisers’ compliance with their fiduciary duty to vote proxies on their investors’ behalf.

Advisers and broker-dealers should always be prepared for an SEC examination and ensure all written policies and procedures are in place and regularly audited for efficacy and compliance. Should you be subject to an examination, any deficiencies noted by the SEC should be addressed and rectified in a timely manner.

Published on:

By

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released two publications addressing cybersecurity at advisory and brokerage firms. The first publication, a Risk Alert, relays the findings from the examinations of more than 100 investment advisers and broker-dealers and focuses on how they: (i) establish cybersecurity policies, procedures and oversee the processes; (ii) identify cybersecurity risks; (iii) protect information and networks; (iv) identify and address the risks associated with funds transfer requests, remote access to client information and third-party vendors; and (v) detect activity that is unauthorized.  The SEC’s Office of Investor Education and Advocacy released the second publication which provides tips for investors to better safeguard their online investment accounts. Their recommendations include using a strong password and a two-step verification process.

The SEC’s recent examinations found 93% of examined broker-dealers and 83% of examined investment advisers have adopted cybersecurity policies, though, whereas 89% of the broker-dealers periodically audit compliance with the policies, only 57% of investment advisers conduct periodic cybersecurity compliance audits.  The SEC continues to place high importance on cybersecurity and every broker-dealer and investment adviser should ensure they have adequate written policies and procedures in place and test them periodically.