On October 26, 2022, in a divided 3-2 vote, the Securities and Exchange Commission (“SEC”) proposed a new rule, 206(4)-11, under the Investment Advisers Act of 1940 and related amendments (the “Proposed Rule”) requiring SEC-registered investment advisers to exercise effective and sufficient oversight over their service providers so as to fulfill the adviser’s fiduciary duty, comply with the federal securities laws and protect investors from potential harm. Notably, the Proposed Rule prohibits advisers from outsourcing certain services or functions to service providers without meeting minimum diligence and monitoring requirements.
The Proposed Rule is meant to add an additional layer of comprehensive oversight by advisers for investor protection and is consistent with the SEC’s continued focus on protecting investors from third-party risk, including cyber risk, in the start of what is expected to be an active season of rule making.
SEC Reasoning and How the Proposed Rule Applies
Over the past few years, there has been an uptick in advisers engaging service providers to perform certain functions—from cybersecurity to portfolio management services—and the SEC is concerned that, if an adviser outsources a function or service to an outside party without sufficient oversight, investors could be significantly harmed. The SEC believes that it is “a deceptive sales practice” and “contrary to the public interest and investor protection” for an investment adviser to hold itself out as an adviser and then outsource necessary advisory functions without taking appropriate steps to ensure that investors are provided with the same protections that the adviser is obligated to deliver under its fiduciary duty and other obligations pursuant to federal securities laws.
The Proposed Rule would establish an oversight framework across SEC-registered advisers that outsource a “covered function,” which would explicitly include cybersecurity, among other services. The services covered by the Proposed Rule include those that (1) are necessary to provide advisory services in compliance with the federal securities laws, and (2) if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services. The Proposed Rule states that “covered functions” can include technology integral to an adviser’s investment decision-making process, such as use of artificial intelligence, a service playing an increasingly important role in the advisory space.
Oversight Requirements
If an adviser decides to outsource a covered function, the adviser would be required to:
- Prior to selecting a service provider to perform a covered function, conduct due diligence on the service provider and periodically monitor the service provider’s performance and reassess the retention of the service provider;
- Make and/or keep books and records related to the due diligence and monitoring requirements;
- Amend Form ADV to collect information about advisers’ use of service providers to report such census-type information; and
- Conduct due diligence prior to selecting third-party recordkeepers and obtain reasonable assurances that the third party will meet certain standards (as detailed further below).
Further to point (i) above, before retaining a service provider to perform a covered function, an adviser would be required to reasonably identify and determine through due diligence that outsourcing the covered function to that service provider would be appropriate by considering the following:
- The nature and scope of the covered function;
- Potential risks resulting from the service provider performing the covered function, including how to mitigate and manage such risks;
- The service provider’s competence, capacity, and resources necessary to perform the covered function;
- The service provider’s material subcontracting arrangements related to the covered function;
- Coordination with the service provider for federal securities law compliance; and
- The orderly termination of the performance of the covered function.
Third-Party Recordkeepers
The SEC also proposed amendments to Advisers Act Rule 204-2, the Books and Records Rule, to require specific conditions for all advisers using third parties to make and keep records required by the rule, including obligating advisers to obtain “reasonable assurances” that the third party will meet four standards, which address the third party’s ability to:
- Adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the recordkeeping rule applicable to the books and records being maintained on behalf of the adviser;
- Make and/or keep records that meet all the requirements of the recordkeeping rule applicable to the adviser;
- Provide access to electronic records; and
- Ensure the continued availability of records if the third party’s relationship with the adviser or its operations cease.
Cybersecurity Overlapping Rules
The SEC acknowledges that there are various rules and regulations that indirectly address an adviser’s oversight of service providers and notes that while some advisers may conduct proper due diligence and monitoring of third-party recordkeepers and certain service providers, such as those arrangements that raise privacy or cybersecurity risks under the existing regulatory framework, the SEC asserts that there are no rules that explicitly require firms to conduct the comprehensive due diligence and monitoring of their service providers, as proposed under the Proposed Rule.
However, there may be slight overlap. For example, where an adviser outsources certain cybersecurity functions, the adviser may already be required to conduct due diligence and monitoring of service providers pursuant to Regulation S-P or Regulation S-ID. In fact, many firms have in place policies and procedures to address the handling of non-public trading information or PII when service providers have access to such information, as Regulation S-P and Regulation S-ID require that investment advisers adopt such policies and procedures to protect various records and information of customers. For example, Regulation S-P provides requirements to adopt written policies and procedures reasonably designed to (i) ensure the security and confidentiality of records and information of an adviser’s client; (ii) protect against any anticipated threats or hazards to the security or integrity of such records and information; and (iii) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to an adviser’s client. In addition, the SEC proposed cybersecurity risk management rules this past February, which would require advisers and funds to, among other things, identify service providers that receive, maintain or process adviser or fund information, or that are permitted to access their information systems, including the information residing therein, and identify the cybersecurity risks associated with the use of these service providers.
Next Steps
The public comment period will remain open until the later of December 27, 2022, or 30 days after it is published in the Federal Register. If adopted, the Proposed Rule would mandate compliance starting 10 months from the rule’s effective date (the “Compliance Date”). The rule would apply to all new service provider engagements made on or after the Compliance Date, while the ongoing monitoring requirements would apply to existing engagements beginning on the Compliance Date.
We are closely tracking SEC developments in the cyber space. Subscribe to www.RopesDataphiles.com for these and other updates.