This article is sponsored by Blue River
With Gary Gensler now leading the Securities and Exchange Commission under new, Democratic administration, many expect to face a tougher regulatory environment in the future. Carl Seiler, senior managing director in the legal and compliance group Blue River Partners, and his colleague, Matt Shelton, managing director and head of cybersecurity, tell Private Funds CFO how the industry is responding to the SEC’s priorities.
Are examinations going to be more onerous under the new SEC?
Carl Seiler: We’re just beginning to experience examinations under the current administration and the leadership of chairman Gensler, and we have noted that the examinations are – or appear to be – slightly more comprehensive on average. The request lists are longer, and it’s a more traditional, full-scope and full-process examination. Whereas, over the last couple of years, we were seeing somewhat more targeted and risk-based, limited-scope examinations, at least in a good number of the examinations that we were participating in.
How is the industry responding, or going to respond, to the SEC’s recent ESG risk alert?
CS: I think there’s going to be very serious response there. Part of what the SEC is identifying is the fact there really aren’t clear, consistent, articulated standards with respect to ESG. It’s not like other types of framework where there’s a clear regulatory guidepost in the form of a statute or rules and regulations, and yet what they’re looking at is the accuracy and adequacy of disclosures, just as they would with any other investment strategy.
Disclosure is a key safeguard under the Advisers Act: full and fair disclosure and the avoidance of misleading content that could be construed as deceptive. What that means is the SEC will look at what firms represent to investors in terms of what they’re doing from an ESG perspective, and at the standards firms are using to judge their own adequacy with respect to ESG. Our guidance to our investment managers is: you need to think very critically about what you’ve represented. What are you doing, how standardized is it, how have you represented it? Are you consistently acting in accordance with those representations?
What else is on your compliance and regulatory watch list for 2021?
CS: If you look at the SEC’s published 2021 examination priorities, they’re looking at a lot of issues related to either market volatility or liquidity within the portfolio. So, they’re looking at any type of preferential treatment that investment managers may have given to certain investors, or LPs of private funds that experienced any type of liquidity issues. They’re looking very closely at valuations and fees charged on valuations.
They’re specifically also looking at disclosure and compliance with regulatory requirements with respect to cross trades and principal trades, where an advisor directs a transaction between two of its funds or client accounts or between a fund and fund principally owned by the advisor or its affiliates. So, where you have any type of liquidity issues or volatility in the market (as was the case or potentially the case at various times during the covid-19 pandemic), they will look for risks and conflicts that such circumstances present.
Matthew Shelton: Cybersecurity also remains a very strong focus for us. The SEC listed in its 2021 exam priorities that the pandemic responses increased concerns about endpoint security and remote access. As a result, we look to push down protection mechanisms down to the end-user computers that aren’t behind those expensive firewalls in the office anymore. There, we install protection mechanisms like Cisco Umbrella on their computers. These mechanisms look to verify the site you’re connecting to hasn’t been compromised, and if it has, they don’t allow the connectivity to go through. Often they’re managed through a central console that also allows you to produce reports. It’s those types of agents that’s been really helpful in extending the protections down to the computers themselves.
Third-party vendor management is also a SEC priority. We’re performing various specific cybersecurity due diligence on those third-party critical advisors to ensure that their security controls are acceptable.
The SEC is also looking to make sure managers properly verify identities. We’ve seen an increase of bad actors creating website domains with names similar to the firm’s domain, and they attempt to defraud an employee of the firm or that the firm’s third-party vendors, or even the investors themselves. They do this in various ways. It could be setting up a fake website and investor login. It could be a fraudulent email that attempts to change payment or banking information. It could be a phone call purporting to be an IT provider that wants to remotely access your system to clean reported malware that they’ve seen, when in reality they may intend to install malware. These are some of their attack strategies.
How can firms with multiple legacy systems ensure their cybersecurity protocols are up to snuff?
MS: The challenge with legacy systems is lifecycle management. It’s important to know when a system or application is nearing its end of life from a support and development standpoint, because what happens otherwise is that you reach a point where those systems may become exposed to newly found vulnerabilities. And if there’s no support or development team available to patch those vulnerabilities, then the firm gets exposed to more risk. This is one of the key advantages of cloud systems. Cloud providers are perpetually updating those systems over time, both for feature purposes as well as security.
What should firms in the middle of a transition to the cloud keep in mind from a cybersecurity perspective?
MS: The biggest issue is making sure you clean up on the back end. Some of the major breaches we’ve seen over the last few years have been through mergers and acquisitions, where systems have been migrated over, but the old system was never retired in such a way that the data was cleaned up. That data ended up being exposed and breached. So as you migrate to a new system or to the cloud providers, make sure that you’re retiring the old one in a safe way.
What other services does Blue River provide when it comes to IT and cybersecurity?
MS: One of our primary cybersecurity services we deliver is a gap assessment that tests against the cybersecurity guidance that’s brought forward by the regulatory entities, whether it’s the SEC, the National Futures Association, FINRA or some other agency, and then we present recommendations to remediate any of the significant findings. We can do this as a one-time effort or we can conduct ongoing programs where we can perform quarterly testing of controls, and act as your ongoing cybersecurity resource.
We can also build cyber policies and incident response procedures from scratch, or we can just simply adjust existing policies that accurately reflect the firm’s regulatory requirements and operational practices. That’s certainly important in regulators’ eyes, as a criticism they’ve brought up in recent examinations has been that many firms’ policies are too boilerplate. So having something that really reflects their operating environment is important. Other services we offer include vulnerability and penetration testing, phishing tests, and cybersecurity awareness training. We can conduct cybersecurity due diligence for vendors or potential acquisitions to ensure their respective security controls are up to standards.