On January 29, 2019, the SEC’s Boston Regional Office issued a deficiency letter to a SEC registered investment adviser in connection with a routine examination. The following are the noteworthy findings:
- The Staff determined based on the compliance program documentation and interviews with the CCO, that the CCO may not have a full understanding of the scope of his role and the requirements that are imposed on investment advisers. The Staff noted that the annual compliance review, the compliance manual and the cybersecurity plan were each insufficient. The CCO seemed to be more knowledgeable about operations than compliance. The CCO told the Staff that he does not like to pay for outside compliance or legal advice. The SEC stated that the adviser did not devote sufficient resources to ensure the firm is complying with the rule and regulations that apply to investment advisers.
- The Staff questioned the veracity of the annual review that was provided in response to the document request. The Staff also determined that the review was not rigorous and did not identify and address changes to the business and other needs that should be addressed by compliance. The Staff stated that the lack of a fulsome annual review and corresponding presentation of results to senior management at the adviser was not in keeping with Rule 206(4)-7.
- The Staff determined based on the compliance program documentation and interviews with the CCO, that the CCO may not have a full understanding of the scope of his role and the requirements that are imposed on investment advisers.
- The Staff noted that the annual compliance review, the compliance manual and the cybersecurity plan were each insufficient.
- The Staff noted that the investment adviser provided the Staff with what appears to be false and inaccurate document. The Staff cautioned the adviser and its personnel that they should be aware that such misrepresentations may constitute violations of Section 1001 of Title 18 of the United States Code, which is cited on Form 1661 and was provided to the adviser. The Staff further stated that to avoid possible penalties in the future, responses to Staff inquiries should be accurate and honest.
- The Staff cited the adopting release to Rule 206(4)-7 under the Advisers Act and stated that compliance policies and procedures should include establishing a business continuity plan. The Staff further stated that this requirement is attributed to an adviser’s fiduciary obligation to its clients, which includes taking steps to protect the client’s interest from risks resulting from loss or reduction of client information, such as from cyber-attack. The Staff specifically referred to the Division of Investment Management cybersecurity guidance to the industry in which it recommends a number of measures that advisers may wish to consider in addressing cybersecurity risk, to the extent they are applicable to the adviser, including the following:
- Preventing, detecting, and monitoring data loss as it relates to client personally identifiable information and access to customer/customer accounts;
- Protecting against the loss of exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- Conducting a periodic assessment of internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
- Implementing a cybersecurity strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with such policies and procedures; and
- Developing an incident response plan.
- The Staff cited the adopting release of Rule 206(4)-7 and stated that a firm must design policies and procedures to address significant risks to the business including trading practices, such as procedures by which the adviser satisfies its best execution obligation, uses client brokerage to obtain research and other services, and allocates aggregated trades among clients. The Staff reviewed the firm’s best execution and trade allocation policies, procedures, and practices and determined that the firm has not adequately addressed the conflict of interest risk in these areas.