On February 7, 2023, the Securities and Exchange Commission’s Division of Examinations announced its 2023 examination priorities. The Division publishes its examination priorities annually to provide insights into its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets. (To view the Press Official Press Release from the U.S. Securities and Exchange Commission please see here: https://www.sec.gov/news/press-release/2023-24 )
Deeply imbedded in the Alternative Investment community, Align Managed Services alongside leading industry experts, share their initial thoughts on the SEC’s priorities for 2023.
Align Experts & Industry Experts Weigh In:
Gary Berger, Partner and Financial Services Industry Leader, Northeast, CohnReznick
"The 2023 examination priorities released by the SEC’s Division of Examinations reflect the regulatory agencies’ continued interest in encouraging fund managers to increase transparency to all stakeholders. Fund managers that have built a solid infrastructure and comprehensive policies and procedures and work with experienced service providers shouldn’t take issue with the 2023 examination priorities. We anticipate a continued increase in private fund examinations and are working with our clients to get them ready."
Vincent Calcagno, Executive Managing Director, Fund Solutions, E78 Partners
"I really do think that the SEC does a great job throughout the year providing GP’s and their executive teams with salient information regarding their investment management businesses. From transparency reports regarding enforcement results, detailed risk alerts, to this week’s announcement of 2023’s exam priorities. Based on our decade plus of partnering with private fund managers, at E78 Partners (formerly Agile Fund Solutions) we are able to help GP’s move from viewing exam priorities with a regulatory compliance lens to a valuable operational best practice focus. For instance, this year’s continued focus on Information Security and Operational Resiliency – from our perspective, there’s not a single operational due diligence meeting we’ve been a part of that those areas aren’t top of mind for institutional investors allocating capital to private funds.
If you haven’t built your business or complimented it with the right partners to address these areas you simply will not be successful in scaling and thriving as an investment manager."
Todd Cipperman, Managing Principal, Cipperman Analytics
“It’s great that the Division of Examinations offers up these priorities every year. It serves as a guide for firms and their compliance officers. The question I always have is what comes off the list? It seems the SEC just adds additional items without ever editing what came in the past, thereby forever expanding regulatory oversight and compliance."
Ed Fasano, Co-Founder, Head of Pre-Launch and Treasury Consulting Services, EAC LLC
“EAC continues to adapt to the day to day changes in the complex world of the asset servicing industry. Viewing this year’s SEC press release on the exam focuses of 2023, it is clear that there will be a focus on third party products and services. Here at EAC we have trusted Align with our internal IT and cybersecurity needs and additionally trust them with our clients IT infrastructure. As the outsourced market continues to expand, I expect that the scrutiny will only increase, as managers continue to outsource functions of their business. It is important for all market providers to focus on the internal and external security and integrity of their in-house processes and controls, to satisfy the SEC’s guidance in these areas.”
Dan Lyons, Managing Director, Business Development, Align Managed Services
"Emerging managers have prioritized practices to prevent interruptions to mission-critical services and to protect investor information, records, and assets with foundational technology controls. As I work with clients to implement the best operational systems for their organization its always based on the root of having the best cybersecurity controls. With this, we focus heavily on exceeding investor demands and satisfying the SEC’s priorities when it comes to Information Security and Operation Resiliency. Align's client leverage our focused solutions to implement the best systems/controls that range from access rights, data loss prevention, mobile device management through to the individual employees with cybersecurity training and phishing."
James Mignacca, CEO, Cavelo
"The SEC's 2023 examination priorities underpin the importance of firms and RIAs understanding the digital assets they have, and what sensitive data those assets contain. Broad technology adoption and shared systems mean that sensitive data lives everywhere; compliance requirements aside, firms have an obligation to institute appropriate controls to protect sensitive data from breach risk. The reality is that a firm's attack surface constantly changes. It extends beyond its organization and includes its third-party vendors, contractors and partners. Having real-time visibility to all digital assets and sensitive data across the organization helps firms properly map their attack surface and appropriately gauge and prioritize risk… which ultimately supports examination success."
Nick Miller, Partner, Seward & Kissel, LLP
"The SEC’s annual Examination Priorities memorandum is required reading for all RIAs and their service providers. Given the scale of our investment management practice (and the number of our clients that are under examination at any given time), we are rarely surprised at the content of the memorandum, but it neatly frames and reinforces what we are seeing on the ground. My key takeaway from the 2023 memorandum is that the Division of Examinations plans to continue to aggressively police compliance with the new marketing rule, including whether RIAs have adopted and implemented updated policies and procedures that address the new rule’s numerous requirements. Although certain areas of the new rule are crystal clear, there are a significant number of very difficult interpretive issues, and many RIAs are struggling with real-world implementation. My expectation is that the first wave of marketing rule enforcement actions will focus on situations in which enforcement staff can point to clear violations of the new rule (the “low hanging fruit”), and so it is critical for RIAs to have updated written policies and procedures and to have scrubbed their marketing materials and solicitation agreements before the SEC shows up at the door. Beyond compliance with the new marketing rule, the Division of Examination will also continue to scrutinize private fund RIAs and their practices related to conflicts of interest and the allocation of fees and expenses, among other items.
I also expect to see enforcement actions in 2023 related to RIAs’ electronic communication retention and monitoring practices, following recent “sweep” examinations of large RIAs. The SEC charged a number of large broker-dealers with violations related to “off-channel communications” in the Fall of 2022, and in my opinion, it is only a matter of time before RIAs face similar charges. Given the practical difficulty of supervising and eliminating off-channel communications, the key for RIAs is to take reasonable preemptive steps that demonstrate best efforts at compliance. However, as with most items in this area, the effectiveness of this approach depends in large part on taking action before you are under examination."
Vinod Paul, Chief Operating Officer, Align Managed Services
"The spotlight from the SEC on Information Security and Operational Resiliency echoes the same underlying priorities of our Registered Investment Advisor clients. This magnifying glass from the Regulators (SEC) has also been clearly prioritized by the sophisticated investors community who understand that fund managers need equally strong pillars of technology, policies, procedures, cybersecurity controls and oversight guided by trusted experts. These pillars are assessed during the typical Operational Due Diligence (O.D.D.) process across technology and cybersecurity. We continue to help our clients with successful Operational Due Diligence by implementing controls with the understanding that a successful strategy for RIA’s is to incorporate Information Security and Operational Resiliency controls from inception and build upon these controls as the organization matures."
Mark Sangster, Vice President, Chief of Strategy, Adlumin
"Following on the heels of the 2022 proposed updates to their cybersecurity rules, the SEC continues to signal its prioritization of cyber risk in its 2023 examinations. With the focus, examinations will target the use of third-party vendors, access of those external parties to non-public and protected information, and the unauthorized use of external vendors.
It's no surprise the SEC is spotlighting third-party vendors within the financial and investment communities. Funds routinely deploy cloud-based services including data management and SaaS applications, moving both residency and access to non-public client information to the cloud, where physical residency can vary greatly and globally. It adds another dimension in terms of risks from misconfigurations or unauthorized access to client data. The last few years have demonstrated that cybercriminals are adept at targeting critical vendors, embedding malicious code in cloud applications, and hijacking senior administrative vendor credentials to access sensitive data at the source.
Adlumin has a longstanding relationship with financial sectors and secures of 300 billion in assets under management. We are a key partner that not only secures their on-premises systems and data, but those in the cloud and remote devices and small offices. We have invested heavily in machine learning to hyper scrutinize activity to identify early-stage anomalies that signal the precipitation of a cyberattack across accounts, devices, and cloud services. What's more, our Security Operations Platform provides real-time compliance insights highlighting shortcomings, on-shelf regulatory reports that support attestations, and critical forensics and evidence that demonstrates their ability to identify unauthorized activity, stop it before it damages the fund, and prove to regulators that they are more than meeting their compliance standards. At Adlumin, we understand the risks to financial funds. We not only empower their security operations, we stand by and support them through regulatory examinations."
Molly Yakubian, Managing Partner, Vector AIS
"For RIAs managing private funds, the SEC’s tried-and-true focus on fee and expense allocation, the robust requirements concerning performance calculations and disclosures contained in the new marketing rule, and evolving regulations concerning treatment of crypto and digital assets are among the focus areas that we are zeroing in on with clients. Notably, the new marketing rule has required managers to invest in new systems and processes to ensure they have the necessary data to provide the required disclosures. The additional information can also be complex and difficult to communicate to investors in a clear and concise manner, which may require significant effort to ensure compliance with the new rule. These challenges highlight the importance of fund managers working closely with strong fund administration, legal, and compliance professionals to ensure that their marketing practices are in line with the new requirements. These focus areas, coupled with the upcoming sweeping Private Funds rule, necessitate having a strong fund administration partner that understands the nuances of the regulatory environment and has the expertise to adapt."
Chris Zadrima, Managing Director, Align Managed Services
"From a technology perspective, it is entirely evident when reading the SEC’s 2023 Examination Priorities that foundational technology controls along with their corresponding written policies and procedures will continue to be a fundamental requirement for Registered Investment Advisors (RIAs). Leveraging the right technology platform and partner provides the basic framework for success to help navigate the ever-changing technology landscape both for RIAs and their third-party providers.
The key for RIAs is finding the intersection point between an efficient and modern technology experience for their users and the compliance and security requirements placed upon them by investors and the SEC. In addition to the SEC’s continued prioritization of policies, procedures and governance of these technical controls, the SEC will increase their focus on cybersecurity technology and controls. More importantly the ability to respond to a cyber-related incident according to those controls and policies is paramount. Foundational technology controls along with the right cyber security measures should be the standard operating procedure.
As one of the architects of the Align IT Suite, a fundamental principal for Align Managed Services is to deliver a technology platform that has cross functional utility, enabling Registered Investment Advisors to meet fundamental informational security/operational resiliency requirements while empowering them to work efficiently and securely across their ecosystem along with their third-party providers."
About the Contributors:
Gary Berger - Partner and Financial Services Industry Leader, Northeast, CohnReznick
Gary is an audit partner at CohnReznick where he is extensively involved in the Firm’s Financial Services practice and has more than 30 years of experience serving domestic and offshore hedge funds, private equity funds, venture capital funds, and fund of funds. |
Vincent Calcagno - Executive Managing Director, Fund Solutions, E78 Partners
|
Todd Cipperman, Managing Principal, Cipperman Analytics
|
Ed Fasano, Co-Founder, Head of Pre-Launch and Treasury Consulting Services, EAC LLC
|
Dan Lyons, Managing Director, Business Development, Align Managed Services
|
As CEO of Cavelo, James helps businesses proactively reduce cybersecurity data risk and achieve compliance with automated data discovery, classification and reporting. Cavelo's cloud compatible data risk management platform continuously scans, identifies and classifies sensitive data across machines, servers and cloud applications, simplifying compliance reporting and risk remediation.
|
Nick Miller, Partner, Seward & Kissel, LLP
Nick advises sponsors and managers of private investment funds, including hedge, private equity, private credit and venture capital funds, regarding formation, structuring and capital raising matters. He has extensive experience structuring onshore and offshore investment vehicles, such as special purpose vehicles, co-investment vehicles, separately managed accounts and funds-of-one. In addition, Nick frequently counsels registered and unregistered investment advisers on regulatory compliance matters. |
Vinod Paul, Chief Operating Officer, Align
Vinod Paul brings over 20 years of in-depth financial services and technology experience to his role as Align’s Chief Operating Officer. Vinod’s responsibilities include the strategic development of Align’s Managed Services offerings, including oversight of Align Cybersecurity™, the company's comprehensive cybersecurity risk management solution. Over his 13 years as Managing Director, Vinod helped establish this firm as a premier Managed Service provider in the financial services space. |
Mark Sangster, Vice President, Chief of Strategy, Adlumin
Mark Sangster, author of No Safe Harbor: The Inside Truth about Cybercrime and How to Protect Your Business, is a go-to subject matter expert for leading publications and media outlets, including The Wall Street Journal and Forbes, covering major data breach events. His experience unites a strong technical aptitude and an intuitive understanding of regulatory agencies, shifts risk trends and influences thought leaders. |
Molly Yakubian, Managing Partner, Vector AIS
Molly is the Managing Partner of Vector AIS, a fund administration provider for closed-end investment funds. She has spent her career in the alternative investment industry, both as a consultant advising fund managers on regulatory compliance matters, and in business development roles working with managers to solve challenges related to compliance, technology, performance, ESG, cybersecurity and risk, and back office outsourcing.
|
Chris Zadrima, Managing Director, Align Managed Services
Chris brings over 16 years of experience architecting and leading successful Managed Service practices. He is a recognized leader in building customer management teams and a subject matter expert on leveraging cloud-based solutions to solve business and operational requirements. Chris oversees all aspects of Align’s Global Managed Services practice which encompasses Client Support, Cloud Architecture and Strategy, Project Management, the Network Operations Center and IT Service Desk.
|
|