SEC Expresses Interest in Alternative Data and Cybersecurity Risks
In 2019, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced its 2020 examination priorities. In this list, OCIE identified a number of new areas of interest – specifically, alternative data and cybersecurity risks.
Why is alternative data on the SEC radar? Well, OCIE Director Pete Driscol points out: “As markets evolve, so do risks and potential harm to investors. OCIE continually works to adjust its examination focus areas to target these risks and publishes its annual priorities to communicate where we see the potential for increased risk and related harm. We hope that this transparency helps firms evaluate and improve their compliance programs, which ultimately helps protect investors…“
This specific topic is interesting because its the first time the OCIE has publicly identified alternative data as an exam priority. The OCIE stated that “examinations will focus on firms’ use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions.”
Hedge funds using alternative data should be prepared for a heightened level of scrutiny from the SEC on this issue.
Funds should be ready to:
- answer questions regarding their due diligence process for evaluating, vetting and onboarding alternative data vendors, including techniques and contractual approaches used with such vendors
- explain protections against receipt of personally identifiable information (PII)
- explain potential MNPI and insider trading considerations involving alternative data
Following the SEC’s 2018 updated guidance on public company cybersecurity disclosures, information security remains a prominent focus of OCIE across its entire examination program. Specifically, examinations with be focused on things like “proper configuration of network storage devices, information security governance generally, and retail trading information security.” Fund
Funds should be ready to:
- answer questions on vendor oversight practices around cloud storage relationships
- explain controls around online access and mobile application access to customer brokerage account information
- outline safeguards around data disposal and the risks of retired hardware containing client information
- explain contractual approaches with third party vendors and service providers
Blockchain and Digital Currency
The OCIE stated that the rapid growth of digital assets present various risks, and that it would continue to “examine SEC-registered market participants” engaged in certain cryptocurrency activities and transfer agents developing blockchain technology, among other things.
Emerging Investment Strategies
OCIE will also have a particular interest in the accuracy and adequacy of disclosures provided by registered investment advisors offering clients new types or emerging investment strategies, such as strategies focused on sustainable and responsible investing, or which incorporate environmental, social, and governance (ESG) criteria. These exams will likely focus on disclosures to potential investors, how the ESG investments are defined, and the internal process for monitoring the strategies.
OCIE will continue to review managers’ compliance with applicable anti-money laundering (AML) requirements, including whether entities are appropriately adapting their AML programs to address their particular situations and regulatory obligations.
Who will be Examined First?
While there is no full sweep on the horizon yet, the OCIE will focus on firms that have never been examined or have not recently been examined, particularly if the firm has experienced substantial growth or expanded into new products. As the OCIE is focusing on conducting more targeted exams, the chances of undergoing an exam remain high, but the scope of the exams may be more narrow. It will also depend on whether the OCIE believes a fund manager exhibits heightened risk or falls within the targeted priorities, then the chances of an exam increase.