For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends.
What has changed about SEC exams? First, the concept of routine exams seems to have fallen by the wayside, replaced with targeted, risk-based exams. The risks may be specific to a given firm, or may be part of risk-based sweep exams to help the regulator assess the prevalence of certain practices and the extent of controls around certain focus areas.
The targeted exams are evident in the significantly reduced size of the initial request list being received by investment advisers. Firms are reporting initial requests of as a few as a dozen items. Other advisers are sharing that the SEC requests an initial “get-to-know-you” phone call but never comes on-site at all, choosing instead to conduct the entire exam remotely. Still others are reporting that the SEC did come on-site, but only for the purpose of attending the initial presentation they request about the firm, its business model, its risks and controls.
What else seems to have changed with SEC exams? They are actually being completed quickly—in some cases in as little as three months—according to several hedge fund advisers who have recently gone through the process.
Last week, I had the opportunity to hear tales from the front lines from the legal and compliance teams representing firms that had recently gone through an SEC exam, and several shared that they felt prepared for their exams because they engage compliance consultants to conduct mock exams several times per year on a variety of focused topics, such as expense allocation or trading practices. One adviser shared that the benefit of having a third-party mock SEC exam is that the consultant has a breadth of experience among numerous firms going through exams and can leverage actual SEC request lists and questions to help prepare their team by testing the ability to gather and produce requested information in a timely manner, and by testing the preparedness of their personnel to handle a regulatory interview. Another adviser added that it is important for the chief compliance officer to be in the hot seat for a mock exam interview as well. Mock SEC exams offer the opportunity for an independent look at how staff responds to questions, and can reveal valuable insights such as who may be able to handle the pressure in front of a real regulator and who should perhaps be encouraged to take a vacation that week because the interviewee over-volunteered information or was wholly inaccurate.
I also had the opportunity to join an FBI Agent from the Financial Cyber Crimes Task Force to speak to hedge fund advisers on the topic of big data as it relates to cybersecurity. Hedge fund advisers in particular are generally very protective of their “secret sauce,” and it was interesting to hear how many firms were storing data in the cloud versus on premises. The scales have clearly tilted towards the use of the cloud, and especially a private cloud solution, although many in the audience agreed that they migrated to the cloud in stages one system at a time.
Whether using the cloud or not, my co-panelist and I stressed the importance of data classification, of understanding what your organization’s crown jewels are and protecting those assets accordingly. Once hackers have gained access, log files tend to show that the hackers try to move laterally within the firm to try to access other systems, files, and information. It may not be readily apparent to an adviser what information may be valuable to the hacker, because it may differ from what the adviser considers to be its crown jewels. And since many cyber intrusions are not detected for 6-9 months after the fact, it is important for firms to maintain log files they can review to determine what a hacker accessed.
Finally, the FBI was in agreement that social engineering continues to be the biggest risk facing the financial sector. As merger-and-acquisition activity picks up in the financial space, it can be very easy for a firm with strong controls on all of its systems to suddenly have a number of new and potentially unsecure systems added to the mix. Cyber crime tends to be a crime of opportunity. A hacker only needs one way in, whether it’s through an unpatched system or a phishing attempt to be let right in the front door.
Want to make sure your firm is exam-ready? Ascendant can help. Our mock exams consist of interviews; document review; data inspection; compliance testing; and evaluation of policies and procedures; and are designed not only to highlight weaknesses but also to assist with enhancing compliance programs to ensure consistency with the SEC’s expectations. For more information, contact us today via email or at 860-435-2255.