In 2023, Registered Investment Advisers (“RIAs”) registered with the Securities and Exchange Commission (“SEC”) must prepare for regulatory changes. This includes proposed changes to the rules governing RIA outsourcing and cybersecurity risk management. While some important proposed rules are not yet final, RIAs should consider preliminary steps to prepare for the new requirements.
1. SEC Proposed Rule on Outsourcing by Investment Advisors
On October 26, 2022, the SEC proposed new Rule 206(4)-11 and proposed amendments under the Investment Advisers Act of 1940 (the “Act”) to provide for the outsourcing of “covered functions” to third parties. established oversight obligations for RIAs that
The proposed rule defines “covered functionality” as the ability to: 2) that, if not performed or negligently performed, could reasonably have a material adverse effect on the RIA’s client or his RIA’s ability to provide investment advisory services;
Determining whether an outsourced service provider performs covered functions will depend on specific facts and circumstances. Certain features may be covered by one RIA but not covered by another RIA. Examples of functions that may be covered may include client services, cybersecurity, compliance with investment guidelines/restrictions, portfolio accounting, pricing, reconciliation, regulatory compliance, trade communication and allocation, and valuation. I have. The proposed rule excludes clerical, ministerial, and general office functions.
The second factor has limited effect, and the RIA cannot reasonably reasonably be expected to have a material adverse effect on the performance of the Client or the Advisory Services, including material financial loss to the Client and material disruption of the RIA’s operations. It is necessary to evaluate the high functionality in terms of .
Before When outsourcing covered functions, the RIA should identify the nature and extent of the covered functions, evaluate how to mitigate and manage potential risks, and determine whether the service provider has the appropriate capabilities, capabilities and resources. judgment and assess the risks associated with subcontracting. Obtain reasonable assurances that Provider will arrange to comply with federal securities laws and obtain reasonable assurances that Provider will have an orderly termination process for the covered features.
In addition, the proposed rule would require RIAs to keep certain records regarding due diligence assessments and oversight during the contract term and for five years thereafter. The SEC is also proposing to add new reporting items to Item 7 of Form ADV Part 1A. This requires the RIA to provide information about third parties performing the functions covered. If the RIA outsources records management to a third party, the RIA must make those records accessible to the RIA and the SEC and protect the records from loss, alteration or destruction. RIAs may also need to periodically review their due diligence regarding third parties that provide covered functionality.
2. SEC Proposed Rule on Cybersecurity Risk Management
In October 2022, the SEC passed proposed new Rule 206(4)-9 under the Act and new Rule 38a-9 under the Investment Company Act of 1940 to require RIAs to implement and adopt written policies. The comment period for 2 has also resumed. Procedures for cybersecurity risks.
The RIA employs cybersecurity policies and procedures to regularly assess, categorize, prioritize, and document cybersecurity risks to minimize user-related risks and prevent unauthorized access to information and systems. Controls designed to prevent, monitor information systems, and protect information from unauthorized access should be implemented. Use, detect, mitigate, and remediate cybersecurity threats and vulnerabilities, and detect, respond, and recover from cybersecurity incidents. RIAs must review their cybersecurity policies and procedures at least annually.
The RIA should provide copies of all cybersecurity policies and procedures, reports documenting the annual review of those policies and procedures, Form ADV-C (described below), records documenting cybersecurity incidents, and records, etc. , you must also maintain certain documents for five years. Document the RIA’s cybersecurity risk assessment.
RIAs are required to report serious cybersecurity incidents to the SEC on behalf of their clients, who are registered investment firms or private funds, by filing the proposed Form ADV-C within 48 hours. A significant cybersecurity incident is an incident that materially disrupts or impairs the ability of an RIA or a private fund client to maintain critical operations, or leads to unauthorized access to or use of client information, resulting in material harm. It is an incident that brings
RIAs are required to disclose information about cybersecurity risks and incidents that may materially affect their advisory relationship under new Section 20 of Form ADV Part 2A entitled “Cybersecurity Risks and Incidents.” I have. In addition, the RIA must provide existing clients with interim amendments to the brochure.
As compliance with the proposed rule will, in its final form, take considerable effort, the RIA will begin evaluating which outsourced functions qualify as “covered functions” and will review relevant third-party relationships. should start a risk analysis of With respect to cybersecurity regulations, RIAs should identify key risks associated with information systems and begin evaluating how to effectively manage and mitigate those risks.
© 2023 Miller, Canfield, Paddock and Stone PLC National Law Review, Volume XIII, No. 11