TOP STORY—Proposed rules enhance regulation of private fund advisers and bolster cybersecurity risk management - 10 February 2022
Proposed rules on cybersecurity risk management and enhancing the regulation of private fund advisers were approved 3-1.
The SEC has proposed two sets of new rules under the Investment Advisers Act concerning the regulation of private fund advisers and cybersecurity risk management. The proposed new rules and regulations regulating private funds would, among other changes, require private fund advisers to provide quarterly statements detailing fund fees, expenses, and performance, and would prohibit certain types of preferential treatment towards investors. The second proposal would require registered investment advisers and investment companies to adopt and implement written cybersecurity policies and procedures addressing cybersecurity risks. Commissioner Peirce voted against both proposals (Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews, Release No. IA-5955, and Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Release No. 33-11028, February 9, 2022).
Private funds. The Commission stated that it sees a need to enhance the regulation of private fund advisers based on a decade of experience overseeing these advisers and the sector's impact on many aspects of the financial system. The release notes that despite examination and enforcement efforts, private fund advisers have engaged in practices that caused funds to pay more in fees and expenses than they should have or that resulted in investors not being informed of conflicts of interest. To that end, enhanced and standardized information would help investors in making investment decisions and to compare private funds. Supporting the proposal, SEC Chair Gary Gensler noted that private funds and their advisers account for over $18 trillion in gross assets and that the proposal would promote more efficiency, competition, and transparency in this marketplace.
First, the proposal would require registered private fund advisers to issue a quarterly statement providing investors with details of fees and expenses paid by the fund and compensation paid to the adviser. On the private fund level, the proposal would require disclosure in a table format of adviser compensation; fund fees and expenses; and offsets, rebates, and waivers. On the portfolio level, advisers would be required to disclose all portfolio investment compensation allocated or paid by each covered portfolio investment during the reporting period and the private fund's ownership percentage of those covered portfolio investments; the proposed rule defines "portfolio investment" as any entity or issuer in which the private fund has invested directly or indirectly. In addition, the quarterly statements would include standardized fund performance information in each quarterly statement based on whether the funds are liquid or illiquid, as defined by a proposed new rule. The statements are to be distributed within 45 days after the calendar quarter end.
Next, the proposal would require that private fund advisers obtain an annual audit of the financial statements of the private funds they manage. The audits must be performed by an independent public accountant and meet the definition of audit in Regulation S-X. The financial statement must be prepared in accordance with GAAP and would be distributed to investors "promptly" after completion of the audit. The proposal would also require a registered private fund adviser to obtain a fairness opinion in connection with an adviser-led secondary transaction. This requirement, the Commission says, would provide a check against conflicts of interest.
Advisers will also be prohibited from engaging in certain activities and practices. All private fund advisers would be barred from providing preferential terms to certain investors regarding redemptions from the fund or information about portfolio holdings or exposures. Advisers would also be prohibited from any other undisclosed preferential treatments; "preferential" would depend on the facts and circumstances, the release says, and investors can make their own assessment. The proposal includes additional prohibitions against certain sales practices, conflicts of interest, and compensation schemes, including charging fees associated with an examination or investigation and seeking reimbursement for or limitation of liabilities for adviser misconduct.
Pierce opposes. Commissioner Peirce declined to support the proposal, calling it a "sea change." According to Peirce, "well-heeled, well-represented investors are able to fend for themselves, and our resources are better spent on retail investor protection." The Commission has historically treated accredited investors as being more capable of accessing information about an issuer and investment and bearing the risk of a loss. She added that the Commission may have to redeploy resources from retail investor protection to "the apparently pressing need of protecting millionaire investors from private fund advisers." Peirce also cautioned that the proposal could hinder capital formation by erasing any distinction afforded by the exemption from registration.
Cybersecurity risk management. The Commission also proposed new cybersecurity risk management rules and amendments designed to enhance preparedness against cybersecurity threats and attacks. The proposed rules would require cybersecurity policies and procedures designed to address cybersecurity risks. Advisers would also be required to report significant cybersecurity incidents to the Commission on a new confidential form. There are currently no Commission rules that specifically require firms to adopt and implement comprehensive cybersecurity programs. Voting in support of the rule Chair Gensler and Commissioners Crenshaw and Lee noted the evolving risk landscape and the increase in the number and sophistication of data compromises.
The proposal includes cybersecurity risk management rules (new Rules 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act) requiring advisers and funds to adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks. The proposed rules enumerate certain general elements that must be addressed, including risk assessments, user security and access, information protection, threat and vulnerability management, and incident response and recovery. The policies and procedures will be required to be reviewed annually, and the review would be accompanied by a written report.
Under new Adviser Act Rule 204-6, significant cybersecurity incidents affecting the adviser or its fund or private fund clients would be required to be reported to the Commission on new Form ADV-C. The electronic filing must be made no later than 48 hours after a significant incident. In addition, proposed amendments to a number of forms would require the disclosure of cybersecurity risks and incidents. Advisers would disclose risks and incidents on Part 2A of Form ADV, and amendments to several forms would require funds to provide cybersecurity-related disclosures in their registration statements. The proposal also amends books and records rules of the Advisers Act and the Investment Company Act to require the keeping of records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.
© 2021 CCH Incorporated and its affiliates and licensors. All rights reserved.