Blog Masonry Full Width

By Jacqueline Hallihan, Co-Executive Director
Compliance Services, Part of Confluence

The Securities and Exchange Commission (SEC) is seeking public comment on its draft Strategic Plan for fiscal years 2022 to 2026, noting the SEC oversees 38% of the capital markets worldwide, representing more than $100 trillion. 

The draft Strategic Plan focuses on three strategic goals to advance the SEC’s mission over four years:

Three Strategic Goals:

1. Protect working families against fraud, manipulation, and misconduct. 
2. Develop and implement a robust regulatory framework that keeps pace with evolving markets, business models, and technologies. 
3. Support a skilled workforce that is diverse, equitable, and inclusive and is fully equipped to advance agency objectives.

Key Takeaways:

SEC’s Goal 1: Protect working families against fraud, manipulation, and misconduct

In pursuit of this goal, the SEC has identified three objectives: 1) Pursue enforcement and examination initiatives focused on identifying and addressing risks and misconduct that affect individual investors; 2) Enhance the use of market and industry data, particularly to prevent, detect, and enforce against improper behavior; and 3) Modernize the design, delivery, and content of disclosures so investors, particularly retail investors, can access consistent, comparable, and material information to make informed investment decisions.

Key Takeaways related to Goal 1:

In summary, Objective 1 emphasizes the SEC’s intent to “pursue enforcement and exam initiatives and pursue misconduct” wherever it finds it—”including responsible individuals.” The Plan pinpoints an exam focus on cyber and private fund conflicts of interest, stating, “The SEC’s examinations program will continue to focus on uncovering key risks and violations that could impact individual investors, from cybersecurity to private fund adviser conflicts of interest.” The EXAMS program will focus on uncovering key risks and violations.  

Regarding risk, the SEC is taking a proactive approach to better identify, analyze and respond to market developments and risk.

Objective 2 centers on capabilities to manage and analyze data. They intend to develop and implement faster and more comprehensive methods to allow the Enforcement and Examinations Divisions to leverage data. They also focus on employing timely “cutting-edge data analysis” to manage data as a strategic asset. This objective can be achieved, the Plan indicates, “…by expanding disclosure and analytical tools, broadening the use of machine learning and artificial intelligence, and developing long-term risk analysis directly connected to policy development,” focusing on strategic and collaborative analysis. Additionally, they will expand the use of economic, risk, and data analyses to set priorities and focus resources.

Objective 3, “Modernizing Design, Delivery and Content of Disclosures,” reflects the need to update the disclosure framework. An example includes investors seeking information about issuers’ climate risks, cybersecurity hygiene policies, and their most important asset: their people. The SEC needs to continue to update the disclosure framework to address these areas of investor demand and modernize the supporting systems.

SEC’s Goal 2:  Develop and implement a robust regulatory framework that keeps pace with evolving markets, business models, and technologies

Key Takeaways related to Goal 2:

In summary, the three objectives for Goal 2 center around more transparency, modified rules, and enhanced disclosure in private or unregulated markets; coordination with fellow and foreign regulators; and supervising global entities appropriately with consistent data protection policies.  

Crypto comes up twice in the Plan as a focused risk in the context of evolutionary risks, stating the SEC must pursue new authorities from Congress where needed, continue to collaborate with other regulators effectively, and engage more proactively on digitization initiatives. Cyber threats are also identified as an example of evolutionary risk, as are the pandemic and the rapid growth in crypto assets.

The SEC intends to enhance investor education through proactive outreach, roundtables, field hearings, and focus on emerging and popular investment topics including crypto assets, derivatives, and fixed income.

Based on their premise, “the ongoing movement of assets into private or unregulated markets, the continual creation of new financial instruments and technologies, and the challenges of increased globalization all require the agency to update and evolve rapidly.” The SEC’s strategic goals to tackle these challenges are to:

• Enhance transparency in private markets and modify rules to ensure that core regulatory principles apply in all appropriate contexts.
• Develop specific regulations to ensure investors remain informed and protected via a broad-based disclosure framework.   
• Continue to focus on supervising global entities appropriately, noting the challenge of protecting sensitive information when coordinating with other regulators. This Goal states consistent data protection policies are essential for this effort.

Cybersecurity threats are examples of how technology has introduced new or amplified existing risks. The Plan highlights that cybersecurity threats to the complex system that helps the markets function are “growing in scale and sophistication,” as well as the need for continued coordination with fellow regulators, including foreign regulators.

“Evolutionary risks” such as rapid growth in crypto assets, external events such as the pandemic, and the evolution of markets without the subsequent strengthening of agency authorities, are all identified as representing systemic and infrastructure risks. The SEC’s Plan states, “… it must pursue new authorities from Congress where needed, continue to collaborate with other regulators effectively, and engage more proactively on digitization initiatives, to be better prepared for, and more agile in, its response to such risks in the future.” 

The SEC intends to continue to focus on investor education and outreach as well as on emerging and popular investment topics, reflecting input that includes proactive outreach, roundtables, and field hearings. The SEC must also enhance its expertise and resources beyond equities, citing crypto assets, derivatives and fixed income, and maintain an agile approach.

SEC’s Goal 3:  Support a skilled workforce that is diverse, equitable, and inclusive and is fully equipped to advance agency objectives

Key Takeaways related to Goal 3: 

The Plan emphasizes it must continue to innovate and improve technology and processes consistently while supporting its people and positioning them to fulfill its critical mission. The three objectives focus on the workforce, promoting collaboration, and maximizing telework opportunities while maintaining collaboration and culture-building with in-office presence. 

One of the most important areas identified is a focus on data and information security, optimizing controls on systems and data based on risk. This goal also means managing the risks associated with the SEC’s vendors and supply chains. 

The third objective is to modernize technology in a cost-effective, secure, and resilient manner. The objective states, “The SEC is moving aggressively to the cloud, remaking its technology environment to optimize capabilities, costs, resilience, and security for the agency as a whole.” The objective also highlights the need to continue to invest in modernizing key systems and “innovate with new technologies such as machine learning.”

How The Strategic Plan Impacts Investment Advisers and Regulated Firms:

Mapping the SEC’s strategic vision and objectives, albeit a draft, and the impacts on regulated firms, gives a line of sight for what to expect. Foremost, the SEC has been leading the industry using data analytics and identifying emerging market events and risks. Their strategic focus over the next several years to use AI and machine learning and enhance its data analytics signals the industry to do likewise with their compliance programs. As has often been stated, compliance programs are fluid and constantly evolving. Using technology and analytics to assist in that process is no longer a “nice to have” but a “must have.”

Contact us to learn how CSS Compliance Services, part of Confluence, can help you with use of technology and analytics to strengthen your Compliance Program, conduct risk assessments, RIA annual reviews, or performance analytics and regulatory compliance reporting.

¹Source: https://www.sec.gov/files/sec_strategic_plan_fy22-fy26_draft.pdf, August 24, 2022

Regulatory frameworks are quickly emerging to standardize the reporting and disclosure of ESG metrics across as many as 140 jurisdictions around the world. The EU’s action plan for sustainable finance is leading the way with sectoral requirements starting this year, and Sustainable Finance Disclosure Regulation (SFDR) Level 2 rules kicking off on January 1, 2023.

Where do the ESG regulatory reporting regimes stand today? And what impacts will they have for market participants and investors?

THE MAJOR IMPACTS OF THE EU’S SFDR EXPANSION

The EU’s comprehensive sustainable finance plans aim to provide a common definition of sustainable activity, mandate companies to integrate sustainability and risks in their management and disclose their impact in the market environment. Its goals are to:

• Provide greater transparency on ESG investment products
• Use a taxonomy to set a common definition of sustainable activity
• Set market standards for financial products including green bonds, benchmarks and eco labels

The EU’s aggressive timeline, which began in early 2021, stretches over the next several years.

Starting January 1, 2023, requirements will expand to require adherence to technical reporting standards, for pre-contractual and periodic disclosures at product level, as well as website disclosures at both entity and product level. Starting in June 2023, website disclosures at the entity level, addressing principal adverse impacts, must consider the first reference period (the calendar year 2022).

In addition, under the Taxonomy Regulation, beginning on January 1, 2023, non-financial firms must address key performance indicators for alignment with the Taxonomy Regulation.

A key challenge is the discrepancy in the timing of disclosure requirements: financial firms are being required to report ESG information that relies on data from corporates — who themselves are not required to disclose that data until later dates.

THE FUTURE OF ESG IN THE UK AND THE US

In the UK, similar disclosure and reporting regulations are developing, with the UK already having fully embraced the FSB’s Task Force on Climate-Related Financial Disclosures (TCFD) recommendations released in 2017 for the pension fund industry. By the end of 2021, TCFD supporters spanned 89 countries and jurisdictions with a combined market capitalization of over $25 trillion — a 99% increase over 2020, according to the FSB.

Structured around four thematic areas representing core elements of how companies operate — governance, strategy, risk management, and metrics and targets – plus 11 other interrelated and supported disclosures – TCFD builds out an information framework to help investors assess climate-related risks and opportunities.

The US has also issued climate-related disclosure requirements for both financial firms and issuers. Based on global frameworks such as the TCFD recommendations and the GHG Protocol, the SEC-authored rules are scheduled to be implemented in stages beginning in 2023 and require specific climate-related data to be provided in registration statements, periodic reports, fund prospectuses and other filings.

THE PATH TO MORE ESG DATA – AND TRANSPARENCY

Government policymakers and the private sector appear to be more aligned in the EU and the UK than in the US, where the SEC’s proposal could face more skepticism. Yet regardless of the maturity level of regulations in each region, they represent positive developments: harmonizing climate-related disclosures, enhancing investor transparency through key performance indicators (KPIs), and consolidation of different standards for ESG ratings.

Over time, as more companies engage with ESG initiatives and participate in the reporting process, consistency and normalization of disclosures will improve. Sustainable action plans and regulatory reporting will generate more data to assist all parties with assessing companies’ performance and drive regulatory reporting. Investors will also benefit from more information on how well their sustainable preferences and requirements align with their investment portfolios.

Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.

Cyber risk for financial firms is about to get a lot more regulated. Announcing its most recent Regulatory Flex Agenda in June 2022, the U.S. Securities and Exchange Commission (SEC) revealed that it is moving quickly on its proposed Cybersecurity Risk Management Rules for investment advisers and funds, having scheduled the proposed rulemaking for a final vote by April 2023. In addition, the Office of Management and Budget website now shows that cybersecurity rules are currently in the final rule stage. 

Rules expected to stay the course

Adoption of the cybersecurity rules is likely a foregone conclusion, given that nearly every rule considered by the Commission under the watch of SEC Chair Gary Gensler has proceeded along party lines, passing with votes of 3-1. If past voting records hint at their respective regulatory inclinations, the four senior Commissioners will likely continue to support Gensler’s agenda 3-1. Moreover, the recent swearing-in of Jaime Lizarraga to fill the vacant fifth seat is unlikely to derail the course charted by Gensler. 

However, it is feasible that the Supreme Court’s recent decision in West Virginia v. EPA could open the door for any government agency regulations with a substantial economic impact to be challenged in court, but that remains to be seen. 

Cybersecurity requirements for RIAs and funds

With the Cybersecurity Risk Management Rules heading towards the finish line, there will certainly be significant impacts on registered investment advisers (RIAs) and funds. The new rules, specifically rule 206(4)-9 under the Advisers Act and rule 38a-2 under the Investment Company Act, are designed to enhance cybersecurity practices among advisers and funds, and to increase the effectiveness of cybersecurity-related disclosures to clients and investors. 

Under the proposed rules, advisers and funds would be required to:

1. Adopt and implement a written cybersecurity risk management program that includes conducting periodic risk assessments and maintaining cyber risk inventories, evaluating user security and access, assessing information protection, managing threats and vulnerabilities, and addressing incident response and recovery. For funds, the rules will require the board of directors (including a majority of independent directors) to approve the Information Security Policy.

2. Conduct a formal annual cyber review, similar to the annual compliance program review. This review will need to assess the design and effectiveness of cybersecurity policies and procedures and document them in a written report. The report should note, among other things, the review process, types of cyber testing conducted, results of such cyber testing, any cyber incidents occurring since the last review, and any material changes to policies and procedures. The rules would require this annual cyber report to be overseen by individuals who administer the firm’s cybersecurity policies and procedures. The SEC acknowledges that some firms do not have this expertise in-house and will need to outsource this review and report, but also encourages adviser/fund personnel to participate in the review. In addition, for funds, the rules will require the firm’s board of directors (including a majority of independent directors) to review the annual cyber review report.
   
3. Disclose cybersecurity risks publicly on regulatory disclosure forms. For investment advisers, this disclosure should be added to Form ADV. The Form ADV Part 2A Brochure would include a new Item 20 (“Cybersecurity Risks and Incidents”). For funds, these risks should be reported on Forms N-1A, N-2, N-3, N-4, N-6, N-8B-2, and S-6.
   
   All advisers would need to describe (1) cyber risks that could materially affect the adviser’s services and how the firm assesses, prioritizes, and addresses these cybersecurity risks, and (2) a description of any cyber incident that has occurred within the last two fiscal years that has “significantly disrupted or degraded” the firm’s critical operations, or has led to the unauthorized access or use of adviser information, resulting in substantial harm to the firm or its clients. In addition, specific information describing each incident would be required, including entities affected, dates, whether the incident is resolved or ongoing, whether data was stolen, altered, accessed, or used in an unauthorized manner, the effect of the incident on the firm’s operations, and whether the firm or any service provider has remediated the issue.
   
   Changes to Rule 204-3 under the Advisers Act would also require ADV brochures to be delivered to clients promptly after an ADV amendment which adds or updates disclosure of an incident in Form ADV Part 2A Item 9 or Item 20.B or Form ADV Part 2B Item 3. Therefore, firms should be prepared to deliver an amended Form ADV to clients as part of their incident response.

4. Maintain books and records under the new Advisers Act Rule 204-2(a)(17)(iv) through (vii), which includes copies of Form ADV-C disclosing cyber incidents, records documenting the occurrence of cyber incidents, and response and recovery steps taken within the prior five years, and records of all cyber risk assessments and testing conducted.

What cyber rule critics and supporters are saying

The comment period for the proposed rules has closed. While the public comments received to date are split for and against the new rules, it is worth noting that even the strongest criticisms – namely, those from the Investment Adviser Association (IAA) and the Investment Company Institute (ICI) – still support the rulemaking but take issue with the specific details.

The comments against the rule fall into the following main buckets:

1. That the rule should not be grounded in the anti-fraud prohibitions of the Advisers Act, under the logic that advisers who experience a cyber breach are usually victims of the fraud and are not those who cause the fraud.
   
2. That the cyber rules are very specific or prescriptive instead of principles-based, similar to the typical rules we see, and that existing rules already cover an obligation to address cyber risk. However, as the SEC noted in its cybersecurity risk alerts over the past several years, firms still have a long way to go in getting their cybersecurity programs up to speed, with numerous deficient and inadequate practices noted. Moreover, with FINRA, the Department of Labor, and several states already mandating specific cyber provisions, the SEC is increasingly in the minority of agencies without specific cyber rules.
   
3. That the requirement that any contract with a service provider has to include specific language − whereby the service provider agrees to implement and maintain appropriate measures for cybersecurity − is too onerous, and therefore some service providers won’t sign those.
   
4. That the cyber annual review should be part of the existing 206(4)-7 compliance annual review rather than its separate review and report.
   
5. That the 48-hour incident reporting deadline is too short and should be 72 hours instead, similar to the reporting deadline under GDPR, because 48 hours isn’t enough time to fully figure out what happened. These commenters also suggest that firms should spend their initial 48 hours on containment and getting back to managing portfolios rather than filling out forms to help the SEC identify patterns and trends.

Commenters who support the rule:

1. Want an exemption for smaller advisers. However, they disagree on whether “small” means five employees or 50 or whether it means $100 million in AUM or a larger threshold. Other commenters argued for an exemption for advisers with little to no personally identifiable information about individuals (e.g., pension consultants and institutional advisers).
   
2. Want the ability of fund boards to rely on cyber assessments conducted by third parties.
   
3. Are primarily from the general investing public and individual investors who want higher fines and more penalties when their data is compromised due to their financial institution getting hacked. 

Mitigating cyber risk is good business

Cyber risk is business risk. Even in the absence of a regulatory requirement, investment advisers and funds have fiduciary duties that support protecting client and investor information. As a result, advisers and funds are significant targets for malicious actors. They face substantial reputational risk by not implementing comprehensive information security policies, procedures, and controls or by not conducting regular cyber risk assessments, testing, and training.

Confluence’s cybersecurity services and solutions are designed to help firms address their cyber risks and the impending regulatory requirements under the new Cybersecurity Risk Management Rules. Firms should begin planning now to get their cyber ducks in a row. 

To learn more about how our solutions can help lower your cyber risk, please contact us at cybersecurity@cssregtech.com.

ESG investing is at the forefront of the industry and with ESG-related regulations coming soon, having a streamlined ESG strategy in place is key for building and retaining competitive advantages. Demonstrable improvements in the breadth and depth of ESG information, tools and frameworks are evident throughout the investment management community. While a significant amount of work has been completed, there is still a long way to go.

Market participants can optimize efficiency and control across their investment lifecycles, from portfolio analytics to compliance and regulatory data solutions, including investment insights and research, to meet the evolving needs of asset managers, asset servers, and asset owners who are making ESG a valuable part of their investment process.