As we predicted in our February 2nd Communique, the SEC is proposing new rules that will significantly impact private fund advisers if adopted. The February 9th Cybersecurity proposal also has elements of the proposal that will impact all investment advisers, whether registered or not.

Private Fund Advisers and Documentation of RIA Compliance Reviews

The proposal covers six main initiatives and is already raising several questions.

• • • Quarterly Statements – Registered private fund advisers would be required to provide quarterly statements within 45 days of quarter end to investors with significant details about private fund performance, fees, and expenses;
  • • Private Fund Audits – Registered private fund advisers would be required to obtain an annual audit for each private fund, require a liquidation audit, and cause the auditor to notify the SEC upon certain events, including issuance of a modified opinion;
  • • Adviser-Led Secondaries – Registered private fund advisers would be required to obtain and distribute to investors a fairness opinion in connection with an adviser-led secondary transaction.
  • • Prohibited Activities – All private fund advisers -registered or not- would be prohibited from engaging in certain practices the SEC views as incentivizing advisers to place their own interests ahead of fund interests, including for example:
    • • Charging certain fees and expenses to a private fund or its portfolio investments, such as fees for unperformed services (e.g., accelerated monitoring fees) and fees associated with the compliance program or an examination or investigation of the adviser;
    • • Seeking reimbursement, indemnification, exculpation, or limitation of its liability for certain activities such as seeking indemnification for breach of fiduciary duty or reimbursement for malfeasance;
    • • Reducing the amount of an adviser clawback for taxes;
    • • Charging fees or expenses related to a portfolio investment or prospective investment on a non-pro rata basis; and
    • • Borrowing from any private fund client.
    • • Preferential Treatment Prohibition – All private fund advisers -registered or not- would be prohibited from providing preferential treatment to a subset of investors relating to redemptions or access to portfolio information while also prohibiting all other types of preferential treatment unless disclosed to current and prospective investors; and
    • • Written Annual Review – this amendment to Compliance Rule would require all registered advisers, to document the annual review of their compliance policies and procedures in writing.

We expect the industry will be active during the comment period in an effort to seek clarification on numerous elements proposed.

SEC Proposed Cybersecurity Rules

The SEC has also released a proposal to require registered advisers, mutual funds and business development companies to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks. Such cybersecurity programs will be expected to have several required elements, including

• • • • Risk Assessment – assess, categorize, prioritize, and document the cybersecurity risks associated with their information systems and associated data.
    • • User Security and Access – controls designed to minimize user-related risks and prevent the unauthorized access to information and systems: acceptable use policies, access restriction policies, authentication measures, and remote access policies.
    • • Information Protection – monitor systems housing sensitive information and protect it from unauthorized access or use, including those of third-party service providers.
    • • Threat and Vulnerability Management – detect, mitigate, and remediate threats and vulnerabilities to systems and information.
    • • Incident Response and Recovery – policies and procedures that are reasonably designed to ensure continued operations; protection of information systems and information; cybersecurity incident information sharing and communications, both external and internal; reporting of significant cybersecurity incidents to the Commission via Form ADV-C; and documentation of cybersecurity incidents, including response and recovery measures.

The program would be subject to annual review, written reports and, where applicable, fund board oversight. Additionally, certain disclosures would be required (on Form ADV Part 2A for advisers or N1-A for mutual funds, for example) under a new heading titled “Cybersecurity Risks and Incidents” regarding cybersecurity risks and incidents that could materially affect the advisory relationship.

An aspect of the new disclosure element requires advisers to describe any cybersecurity incidents that occurred within the last two fiscal years that have significantly disrupted the firm’s operations or that have led to the unauthorized access to firm information, resulting in harm to the firm or its clients.