On February 9, 2022, the US Securities and Exchange Commission (SEC) voted to propose several new rules and amendments to existing rules that would significantly alter the current requirements for investment advisers and funds, with one proposal specifically focused on private funds and the other focused on cybersecurity.
Proposed Rules Applicable to Private Fund Advisers
The SEC voted to propose a suite of new rules and amendments under the Investment Advisers Act of 1940 (Advisers Act) that, if adopted, will significantly increase the compliance obligations of advisers to private funds.
The proposed new rules would include the following requirements for advisers to private funds (i.e., funds that rely on the exceptions from the definition of “investment company” provided in Section 3(c)(1) or Section 3(c)(7) of the Investment Company Act of 1940 (Investment Company Act)):
- First, registered investment advisers (RIAs) to private funds would be required to provide quarterly statements to investors that include specified performance metrics and describe fees and expenses of the fund and portfolio companies.
- Second, RIAs to private funds would be required to obtain annual financial audits from an independent public accountant that would be distributed to investors. (Many private fund advisers already do this pursuant to the custody rule under the Advisers Act.)
- Third, RIAs would be required to obtain a fairness opinion in adviser-led secondary transactions and to provide the opinion, along with a summary of any material business relationships between the RIA and the opinion provider, to investors before the close of the transaction.
- Fourth, all private fund advisers (not just RIAs) would be prohibited from certain practices, including:
- Charging certain fees and expenses to a private fund or its portfolio investments for work not actually performed (e.g., accelerated monitoring fees) and fees associated with an examination or investigation of the adviser
- Seeking reimbursement, indemnification, exculpation or limitation of liability for certain activities (including simple negligence)
- Reducing the amount of adviser clawback by the amount of certain taxes
- Charging fees or expenses related to a portfolio investment on a non-pro rata basis when multiple clients co-invest together
- Borrowing from a private fund client
- Fifth, all private fund advisers (not just RIAs) would be prohibited from providing preferential terms to certain investors regarding redemption rights and information regarding portfolio holdings if the adviser reasonably expects that providing the rights or information would have a “material, negative effect” on other investors. Advisers would also be prohibited from providing other preferential treatment unless disclosed to current and prospective investors ahead of the investment and on an annual basis thereafter.
The SEC also proposed amendments to the current rules governing the books and records requirements as well as the compliance program. The proposed amendments include the following significant changes:
- The books and records amendment would require RIAs to retain copies of the private fund reports required by the new rules above.
- The amendment to the compliance program would require all RIAs to document the annual review of their compliance policies and procedures in writing.
Cybersecurity Risk Management Proposal
At the same meeting, the SEC proposed new rules and amendments under the Advisers Act and the Investment Company Act related to cybersecurity risk management for RIAs, registered investment companies (RICs) and business development companies (BDCs) and related amendments to certain rules that govern investment adviser and fund disclosures.
The proposed new rules under the Advisers Act and Investment Company Act would require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks. The SEC acknowledged that advisers and funds often consider cybersecurity when developing policies and procedures, but the proposed rule would formalize and supplement steps taken today. At a minimum, these entities would be required to undertake and document periodic cybersecurity risk assessments and to have policies and procedures designed to manage user security and access control, monitoring of information systems, and threat and vulnerability management, as well as incident response and recovery. The proposal would require review of these policies and procedures on at least an annual basis.
The proposal would also require RIAs to report significant cybersecurity incidents to the SEC on a confidential basis (using a new Form ADV-C). The proposed amendments would also create a new requirement that RIAs report to clients and prospective clients significant cybersecurity incidents that occurred in the past two fiscal years in their Form ADV Part 2A, with RICs and BDCs making similar disclosures in their applicable registration statements.
The proposed amendments to the Advisers Act and Investment Company Act would also create new requirements for RIAs, RICs and BDCs to maintain copies of cybersecurity policies and records related to cybersecurity risk management and incidents.
The comment period for the proposals is open to the public until the later of April 11, 2022, or 30 days after publication in the Federal Register. We will provide more in-depth analysis of these proposals in separate publications in the coming days.