The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued its 2016 Examination Priorities last week. They fall under the same three themes as last year: protecting retail investors, market-wide risks and data analytics.
While the announcement covered many examination focus areas that have already been well communicated, funds should pay close attention. Whether old or new details, these letters provide a key insight to what the regulator is looking for, and a roadmap to what you need to prioritize.
It should come as no surprise then, that hedge fund cybersecurity continues to top the list when it comes to assessing market risks. Here’s a closer look at this, and a few of the other 2016 priorities…
The 2016 priorities reinforce the SEC’s continued focus on the Cybersecurity Initiative as detailed in its September 2015 Risk Alert. Specifically, it states that this year ‘we will advance these efforts, which will include testing and assessments of firms implementation of procedures’.
The September 2015 Risk Alert highlighted the six key focus areas for cybersecurity examinations as governance and risk assessment, access rights and controls, vendor management, data loss prevention, training, and incident response.
Where previous guidance had largely focused on the implementation of cybersecurity policies, this initiative will interrogate your ability to proactively monitor and record the on-going effectiveness of those implementations.
It’s not just a priority for the SEC either, Finra (the Financial Industry Regulatory Authority) places similar weight on the cybersecurity issue in its own 2016 Regulatory and Examination Priorities Letter, which was published at the beginning of the year.
In it, Finra states that it will review firms’ approaches to cybersecurity risk management, and cites governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training as the areas of focus.
Finra also notes the importance of the integrity and availability of sensitive information, including ‘compliance with SEC Regulation S-P and Securities Exchange Act (SEA) Rule 17a-4(f), the latter of which requires electronically stored records to be preserved in a non-rewriteable, non-erasable format’.
There can be no question that cybersecurity requires ongoing attention. Cybersecurity compliance is not something that funds can wish away, anymore than the SEC, FINRA or any other regulatory body can reduce the rising scale of cyberthreats. The key is to be prepared; prepared for the examinations coming your way, and committed to continually enhancing the cyber-resilience of your firm.
Regulation Systems Compliance and Integrity
Another of the market-risk priorities which, by virtue of its inclusion, the OCIE believes could present heightened risk to investors and/or the integrity of capital markets this year is Regulatory Systems Compliance and Integrity (SCI).
Here, the OCIE will examine SCI entities for written policies and procedures (that they are both maintained and enforced) and their efficiency in ensuring the capacity, integrity, resiliency, availability, and security of systems. The list in the OCIE letter is not exhaustive, but states that this will include:
- The resiliency of primary and back-up data centers.
- Whether computing infrastructure components are geographically diverse.
- Whether security operations are tailored to the risks each entity faces.
Lucky enough not to be examined as yet? Well, the systematic approach to examining the industry at-large continues as detailed in the ‘Other Initiatives’ section.
Listed under Never-Before-Examined Investment Advisers and Investment Companies, the OCIE once again reiterates that it will continue its focused, risk-based examinations of selected registered firms and advisors and investment company complexes that it has not yet examined.
According to the 2015 Alternative Fund Managers compliance survey results, 45% of participating funds had undergone an SEC examination. There is no doubt that the odds of being subject to an SEC examination are on the rise, and firms shouldn’t leave anything to chance. Every fund should be prepared, note this latest regulatory focus and continue to update compliance programs accordingly.
The exam priorities listed above, and many more in the SEC announcement are the continuation of key focus areas, however there were some new areas introduced this year including liquidity controls, public pension advisers and product promotion. The announcement also states that the published priorities for 2016 are not exhaustive and may be adjusted in light of market conditions, industry developments and ongoing risk assessment activities. You can view the SEC announcement here in full.