Jul. 14, 2022

A Checklist to Help Fund Managers Assess Their Cybersecurity Programs

Cybersecurity is a key focus for the SEC. For example, the SEC Division of Examinations’ 2022 exam priorities report notes that registered investment advisers and broker-dealers must have strong information security and data protection controls to ensure their ability to continue operations in the event of a cyber attack or other disruption. See “Private Funds Top the SEC’s 2022 Exam Priorities” (Jun. 9, 2022). FINRA is also keenly focused on cybersecurity. To that end, on May 5, 2022, FINRA released a tool to help small firms identify key cybersecurity risks and enhance their customer information protection, cybersecurity written supervisory programs and related controls. The tool (Tool) highlights the most common and recent categories of cybersecurity threats facing small firms; includes questions to assist firms with addressing those threats; provides a summary of core controls small firms should consider; and contains relevant questions for firms to answer when evaluating their current cybersecurity programs. Although the Tool was written for broker-dealers, its guidance is generally applicable to fund managers’ oversight of their cybersecurity programs. This article summarizes the Tool and provides a checklist – including a downloadable, standalone version – created from the questions in the Tool that managers can use to assess the sufficiency of their cybersecurity programs. For another checklist derived from FINRA guidance, see “A Checklist for Fund Managers to Ensure Adequate Vendor Management” (Sep. 9, 2021).

Legal and Practical Impact on Fund Managers of New Federal Law Ending Forced Arbitration of Sexual Harassment and Assault Claims

Mandatory, pre-dispute arbitration agreements have become popular in the private funds industry. Employers and other supporters point to arbitration as a fast, efficient and, perhaps most importantly, confidential method to resolve employment-related disputes. Some employees and employee advocates, however, believe mandatory arbitration silences victims and allows employers to avoid the full consequences of their unlawful conduct. Those criticisms intensified in the #MeToo era and led several state legislatures to ban pre-dispute arbitration agreements as to sexual harassment – and, in some cases, all discrimination – claims. Those state laws have been largely ineffective because courts found them to be preempted by the Federal Arbitration Act (FAA). In response, Congress recently created an exemption to the FAA – the Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021 (the Act) – that significantly limits the ability of hedge fund managers and other employers to implement and enforce arbitration agreements as to claims alleging sexual harassment or sexual assault. In a guest article, Dechert attorneys Jeffrey W. Rubin and J. Ian Downes explore the backdrop against which the Act was passed; prohibitions in the Act; unanswered questions left by the Act; and practical steps hedge fund managers can take now to address the Act in existing and future arbitration agreements. See “How Investment Managers Can Prevent and Manage Claims of Harassment in the Age of #MeToo” (Dec. 14, 2017).

A Roadmap to Proposed ESG Disclosures on Form ADV

A significant focus of SEC Chair Gary Gensler’s ambitious rulemaking agenda has been on climate change and environmental, social and governance (ESG) investment factors. In March 2022, the SEC proposed climate risk disclosure rules for public companies. In May, the agency proposed enhanced ESG disclosure rules for certain advisers and registered investment companies and, separately, amendments to the requirements governing the names of registered investment companies. A recent Akin Gump program examined the key provisions and broad sweep of the ESG disclosure proposal; its applicability to, and impact on, private fund advisers; and significant concerns about the proposed disclosure regime. The program featured Akin Gump partners Brian T. Daly, Katherine R. Goldstein and Stacey H. Mitchell. This article synthesizes their comments. See our two-part coverage of the SEC’s proposed corporate climate risk disclosure rules: “Five Key Elements” (May 19, 2022); and “Implications, Challenges, Timing and Pushback” (May 26, 2022); as well as “Deputy Director of SEC Division of Investment Management Discusses Pending Rulemaking” (May 12, 2022).

FCA Alert Reminds Custodians and Fund Service Firms of Safeguarding, Servicing and Oversight Duties

The U.K. Financial Conduct Authority (FCA) recently issued a so-called “portfolio letter” (Letter) to firms in the “custody and fund services portfolio,” which includes third-party custodians, fund depositaries, third-party fund administrators and transfer agents. The Letter’s purpose is to highlight the key risks that firms must manage “in order to protect investors and the integrity of the markets in which they operate.” Firms should expect the FCA to ask them about the actions they and their boards have taken “in response to this [L]etter to ensure that customers and markets are adequately protected,” the FCA cautioned. This article discusses the concerns raised in the Letter, with commentary and regulatory context from William Yonge, partner at Morgan Lewis. For more from the FCA, see “FCA Details Shortcomings of ‘Host’ Authorized Fund Managers” (Aug. 26, 2021).

Can Compliance Certifications Empower CCOs?

Should CEOs and CCOs be required to certify that a compliance program is working as intended at the end of a corporate resolution? That is the question Assistant Attorney General Kenneth Polite has put to the prosecutors in the DOJ’s Criminal Division. In two recent speeches, he floated the idea as a way to empower CCOs and ensure that they have access to data and other resources. This article investigates whether doing so is an achievable goal and whether there might be unintended consequences of such a requirement. For more on compliance programs, see our two-part series “Thirteen Questions an Adviser’s Principals Should Ask Compliance”: Part One (Jan. 13, 2022); and Part Two (Jan. 20, 2022).