Mar. 24, 2022

SEC Proposes Cyber Risk Management Rules for Advisers

This year, the SEC under Chair Gary Gensler has been on a rulemaking tear. The regulator’s growing focus on the size and influence of the private funds industry has now intersected with its longstanding focus on cybersecurity. To that end, the SEC recently proposed sweeping new cybersecurity rules for investment advisers and registered investment funds that would require them to adopt and implement comprehensive cybersecurity policies and procedures; report certain significant cybersecurity incidents to the SEC within 48 hours of discovery; and provide enhanced disclosure about cybersecurity risks and incidents. This article details the proposed rules as they apply to registered investment advisers, with commentary from Avi Gesser, partner at Debevoise & Plimpton, and Clifford E. Kirsch, partner at Eversheds Sutherland. See “Six Takeaways From the SEC’s FY 2021 Enforcement Results” (Jan. 27, 2022); “Recent Experiences With SEC Examinations and Enforcement: Cybersecurity, BCPs, Branch Offices and Disclosures (Part One of Two)” (Dec. 9, 2021); and “Fireside Chat With SEC Chair Gensler: Three Key Disclosure Areas (Part One of Two)” (Nov. 18, 2021).

AML Compliance Officers May Be Held Personally Responsible for AML Program Failures

Money laundering remains a significant focus of financial industry regulators. In August 2020, the SEC, CFTC and FINRA all resolved enforcement proceedings arising out of alleged deficiencies in a firm’s anti-money laundering (AML) program. FINRA has now resolved an enforcement proceeding against the firm’s AML compliance officer, who allegedly failed to implement the AML program, lacked sufficient knowledge of its operations, ignored red flags and did not understand when the firm was obligated to file suspicious activity reports. The proceeding is yet another reminder of the close regulatory focus on the implementation of appropriate and effective compliance policies and procedures – and of the regulators’ continued willingness to hold compliance officers accountable for serious compliance failures. This article explores FINRA’s allegations and the Letter of Acceptance, Waiver and Consent. See “AML Program Failures May Draw Scrutiny From Multiple Regulators” (Sep. 10, 2020); and “FinCEN Issues First AML/CFT Priorities” (Aug. 26, 2021). For additional discussion of CCO liability, see “A Look at the NSCP’s Firm and CCO Liability Framework” (Feb. 24, 2022); our two-part series on the NYC Bar framework for CCO liability: “Components and Proposals” (Jul. 15, 2021); and “CCO and Regulator Perspectives” (Jul. 22, 2021); as well as our two-part series “What a Recent SEC Opinion on a FINRA Disciplinary Action Says About CCO and CEO Liability”: Part One (Jan. 24, 2019); and Part Two (Jan. 31, 2019).

Examining the Burdens and Benefits of a Remote Regulatory Environment

Regulatory agencies have been reacting to the ever-changing pandemic environment and deploying resources accordingly. Investigatory activity has accelerated since the beginning of the pandemic, and fund managers and other organizations continue to navigate the challenges of remote interviews and testimony; access to documents; negotiations with regulators; coronavirus-related compliance issues; and internal investigations. The above issues were explored at a recent New York City Bar Association program moderated by Andrew J. Ceresney, partner at Debevoise & Plimpton and former SEC Director of Enforcement, and featuring Cheryl Crumpton, head of litigation, regulatory enforcement and investigations at Robinhood; Mei‑Lin Kwan‑Gett, deputy GC and global head of litigation at Citigroup; and Jonathan Slonim, deputy GC and head of litigation and investigations at McKinsey & Company. See our two-part series “What Hedge Fund Managers Can Expect From SEC Remote Examinations”: Part One (May 12, 2016); and Part Two (May 19, 2016).

Necessary Precautions, Compliance Considerations and Risks to Mitigate From a Ransomware Attack (Part Two of Two)

All fund managers are keenly aware of the financial and reputational risks posed by a ransomware attack, as those are top of mind when considering cybersecurity risks. Less attention is paid, however, to some of the trickle-down ramifications of a ransomware attack, including mandatory reporting requirements to regulators and the possibility of third-party litigation and regulatory enforcement. Some of those risks can be mitigated not only through preventative cybersecurity practices but also by thoughtful and rehearsed incident response measures. Those issues were addressed in a recent Arnold & Porter roundtable moderated by Arnold & Porter partner Ronald D. Lee and which featured Dan Raymond, focus group leader on breach response and information security products at Beazley Group; Aaron Sherman, director of incident response at Coveware, Inc.; and Arnold & Porter attorneys Kenneth L. Chernof, Marcus A. Asner and Tal R. Machnes. This second article describes mandatory reporting requirements; litigation and enforcement risks arising from ransomware attacks; protective measures fund managers should take before an attack; and important compliance considerations. The first article prescribed initial measures fund managers should take after a ransomware attack; guidance for working with law enforcement and deciding to pay a ransom; and tips for preserving attorney-client privilege during an incident response. See “Identifying and Preventing Ransomware Attacks” (Oct. 15, 2020).

AIMA/KPMG Report Discusses Impact of the Hybrid Work Environment and Evolving Investor Relations

In late 2021, the Alternative Investment Management Association (AIMA) and KPMG examined key operational issues affecting hedge funds and how the industry is emerging from the coronavirus pandemic. Their survey covered the impact of the hybrid work environment; operations and outsourcing; attracting and retaining talent; capital raising and investor relations; responsible investing; evolving product offerings; regulatory challenges; and taxation. “The last AIMA/KPMG annual report focused on how hedge fund managers were managing the economic upheavals caused by the coronavirus pandemic,” Tom Kehoe, AIMA’s managing director and global head of research and communications, told the Hedge Fund Law Report. “We found an industry agile and resilient in the face of massive market disruption.” This year, AIMA and KPMG found “an industry poised to accelerate out of the pandemic, with firms adopting new approaches to improve the efficiency of their business models and developing new investor solutions to deepen their alignment with investor clients,” he explained. This article reviews the key findings from the survey, with additional insights from Kehoe. See “Hedge Fund Industry Remains Agile and Resilient, According to Recent KPMG/AIMA Survey” (Oct. 8, 2020).