Industry Experts Weigh In On 2023 SEC Examination Priorities

On February 7, 2023, the Securities and Exchange Commission’s Division of Examinations announced its 2023 examination priorities. The Division publishes its examination priorities annually to provide insights into its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets. (To view the Press Official Press Release from the U.S. Securities and Exchange Commission please see here: https://www.sec.gov/news/press-release/2023-24 )

Deeply imbedded in the Alternative Investment community, Align Managed Services alongside leading industry experts, share their initial thoughts on the SEC’s priorities for 2023.

Align Experts & Industry Experts Weigh In: 

Gary Berger, Partner and Financial Services Industry Leader, Northeast, CohnReznick

"The 2023 examination priorities released by the SEC’s Division of Examinations reflect the regulatory agencies’ continued interest in encouraging fund managers to increase transparency to all stakeholders. Fund managers that have built a solid infrastructure and comprehensive policies and procedures and work with experienced service providers shouldn’t take issue with the 2023 examination priorities. We anticipate a continued increase in private fund examinations and are working with our clients to get them ready."

Vincent Calcagno, Executive Managing Director, Fund Solutions, E78 Partners

 "I really do think that the SEC does a great job throughout the year providing GP’s and their executive teams with salient information regarding their investment management businesses. From transparency reports regarding enforcement results, detailed risk alerts, to this week’s announcement of 2023’s exam priorities. Based on our decade plus of partnering with private fund managers, at E78 Partners (formerly Agile Fund Solutions) we are able to help GP’s move from viewing exam priorities with a regulatory compliance lens to a valuable operational best practice focus. For instance, this year’s continued focus on Information Security and Operational Resiliency – from our perspective, there’s not a single operational due diligence meeting we’ve been a part of that those areas aren’t top of mind for institutional investors allocating capital to private funds.  

If you haven’t built your business or complimented it with the right partners to address these areas you simply will not be successful in scaling and thriving as an investment manager."

Todd Cipperman, Managing Principal, Cipperman Analytics 

“It’s great that the Division of Examinations offers up these priorities every year. It serves as a guide for firms and their compliance officers. The question I always have is what comes off the list? It seems the SEC just adds additional items without ever editing what came in the past, thereby forever expanding regulatory oversight and compliance."

Ed Fasano, Co-Founder, Head of Pre-Launch and Treasury Consulting Services, EAC LLC

“EAC continues to adapt to the day to day changes in the complex world of the asset servicing industry. Viewing this year’s SEC press release on the exam focuses of 2023, it is clear that there will be a focus on third party products and services. Here at EAC we have trusted Align with our internal IT and cybersecurity needs and additionally trust them with our clients IT infrastructure. As the outsourced market continues to expand, I expect that the scrutiny will only increase, as managers continue to outsource functions of their business. It is important for all market providers to focus on the internal and external security and integrity of their in-house processes and controls, to satisfy the SEC’s guidance in these areas.”

Dan Lyons, Managing Director, Business Development, Align Managed Services

"Emerging managers have prioritized practices to prevent interruptions to mission-critical services and to protect investor information, records, and assets with foundational technology controls. As I work with clients to implement the best operational systems for their organization its always based on the root of having the best cybersecurity controls. With this, we focus heavily on exceeding investor demands and satisfying the SEC’s priorities when it comes to Information Security and Operation Resiliency. Align's client leverage our focused solutions to implement the best systems/controls that range from access rights, data loss prevention, mobile device management through to the individual employees with cybersecurity training and phishing."

James Mignacca, CEO, Cavelo

"The SEC's 2023 examination priorities underpin the importance of firms and RIAs understanding the digital assets they have, and what sensitive data those assets contain. Broad technology adoption and shared systems mean that sensitive data lives everywhere; compliance requirements aside, firms have an obligation to institute appropriate controls to protect sensitive data from breach risk. The reality is that a firm's attack surface constantly changes. It extends beyond its organization and includes its third-party vendors, contractors and partners. Having real-time visibility to all digital assets and sensitive data across the organization helps firms properly map their attack surface and appropriately gauge and prioritize risk… which ultimately supports examination success."

Nick Miller, Partner, Seward & Kissel, LLP

"The SEC’s annual Examination Priorities memorandum is required reading for all RIAs and their service providers. Given the scale of our investment management practice (and the number of our clients that are under examination at any given time), we are rarely surprised at the content of the memorandum, but it neatly frames and reinforces what we are seeing on the ground. My key takeaway from the 2023 memorandum is that the Division of Examinations plans to continue to aggressively police compliance with the new marketing rule, including whether RIAs have adopted and implemented updated policies and procedures that address the new rule’s numerous requirements. Although certain areas of the new rule are crystal clear, there are a significant number of very difficult interpretive issues, and many RIAs are struggling with real-world implementation. My expectation is that the first wave of marketing rule enforcement actions will focus on situations in which enforcement staff can point to clear violations of the new rule (the “low hanging fruit”), and so it is critical for RIAs to have updated written policies and procedures and to have scrubbed their marketing materials and solicitation agreements before the SEC shows up at the door. Beyond compliance with the new marketing rule, the Division of Examination will also continue to scrutinize private fund RIAs and their practices related to conflicts of interest and the allocation of fees and expenses, among other items. 

I also expect to see enforcement actions in 2023 related to RIAs’ electronic communication retention and monitoring practices, following recent “sweep” examinations of large RIAs. The SEC charged a number of large broker-dealers with violations related to “off-channel communications” in the Fall of 2022, and in my opinion, it is only a matter of time before RIAs face similar charges. Given the practical difficulty of supervising and eliminating off-channel communications, the key for RIAs is to take reasonable preemptive steps that demonstrate best efforts at compliance. However, as with most items in this area, the effectiveness of this approach depends in large part on taking action before you are under examination."

Vinod Paul, Chief Operating Officer, Align Managed Services

"The spotlight from the SEC on Information Security and Operational Resiliency echoes the same underlying priorities of our Registered Investment Advisor clients. This magnifying glass from the Regulators (SEC) has also been clearly prioritized by the sophisticated investors community who understand that fund managers need equally strong pillars of technology, policies, procedures, cybersecurity controls and oversight guided by trusted experts. These pillars are assessed during the typical Operational Due Diligence (O.D.D.) process across technology and cybersecurity. We continue to help our clients with successful Operational Due Diligence by implementing controls with the understanding that a successful strategy for RIA’s is to incorporate Information Security and Operational Resiliency controls from inception and build upon these controls as the organization matures."

 Mark Sangster, Vice President, Chief of Strategy, Adlumin

"Following on the heels of the 2022 proposed updates to their cybersecurity rules, the SEC continues to signal its prioritization of cyber risk in its 2023 examinations. With the focus, examinations will target the use of third-party vendors, access of those external parties to non-public and protected information, and the unauthorized use of external vendors.

It's no surprise the SEC is spotlighting third-party vendors within the financial and investment communities. Funds routinely deploy cloud-based services including data management and SaaS applications, moving both residency and access to non-public client information to the cloud, where physical residency can vary greatly and globally. It adds another dimension in terms of risks from misconfigurations or unauthorized access to client data. The last few years have demonstrated that cybercriminals are adept at targeting critical vendors, embedding malicious code in cloud applications, and hijacking senior administrative vendor credentials to access sensitive data at the source.

Adlumin has a longstanding relationship with financial sectors and secures of 300 billion in assets under management. We are a key partner that not only secures their on-premises systems and data, but those in the cloud and remote devices and small offices. We have invested heavily in machine learning to hyper scrutinize activity to identify early-stage anomalies that signal the precipitation of a cyberattack across accounts, devices, and cloud services. What's more, our Security Operations Platform provides real-time compliance insights highlighting shortcomings, on-shelf regulatory reports that support attestations, and critical forensics and evidence that demonstrates their ability to identify unauthorized activity, stop it before it damages the fund, and prove to regulators that they are more than meeting their compliance standards. At Adlumin, we understand the risks to financial funds. We not only empower their security operations, we stand by and support them through regulatory examinations."

Molly Yakubian, Managing Partner, Vector AIS

"For RIAs managing private funds, the SEC’s tried-and-true focus on fee and expense allocation, the robust requirements concerning performance calculations and disclosures contained in the new marketing rule, and evolving regulations concerning treatment of crypto and digital assets are among the focus areas that we are zeroing in on with clients. Notably, the new marketing rule has required managers to invest in new systems and processes to ensure they have the necessary data to provide the required disclosures. The additional information can also be complex and difficult to communicate to investors in a clear and concise manner, which may require significant effort to ensure compliance with the new rule. These challenges highlight the importance of fund managers working closely with strong fund administration, legal, and compliance professionals to ensure that their marketing practices are in line with the new requirements. These focus areas, coupled with the upcoming sweeping Private Funds rule, necessitate having a strong fund administration partner that understands the nuances of the regulatory environment and has the expertise to adapt."

Chris Zadrima, Managing Director, Align Managed Services

"From a technology perspective, it is entirely evident when reading the SEC’s 2023 Examination Priorities that foundational technology controls along with their corresponding written policies and procedures will continue to be a fundamental requirement for Registered Investment Advisors (RIAs). Leveraging the right technology platform and partner provides the basic framework for success to help navigate the ever-changing technology landscape both for RIAs and their third-party providers. 

The key for RIAs is finding the intersection point between an efficient and modern technology experience for their users and the compliance and security requirements placed upon them by investors and the SEC. In addition to the SEC’s continued prioritization of policies, procedures and governance of these technical controls, the SEC will increase their focus on cybersecurity technology and controls. More importantly the ability to respond to a cyber-related incident according to those controls and policies is paramount. Foundational technology controls along with the right cyber security measures should be the standard operating procedure.

As one of the architects of the Align IT Suite, a fundamental principal for Align Managed Services is to deliver a technology platform that has cross functional utility, enabling Registered Investment Advisors to meet fundamental informational security/operational resiliency requirements while empowering them to work efficiently and securely across their ecosystem along with their third-party providers."

About the Contributors: