Regulations, best practices, cybersecurity all affect capital raising
Funds need to understand and react to investor concerns
INSIGHT ARTICLE |
Twelve years ago, there was far less regulation of and minimal transparency into the operations of hedge funds. That’s changed. The Dodd-Frank Act alone has grown from 848 pages initially to more than 22,000 pages now—and more than 30 percent of its rulemaking requirements are not yet met. For funds, this means a constantly evolving regulatory environment of new rules and new enforcement strategies by a myriad of regulatory bodies.
What will happen with regulation and enforcement under the Trump administration is unclear. The administration has stated its intention to roll back Dodd-Frank, but whether and to what extent that will happen remain to be seen. Until that direction is clarified, funds should understand where regulators are currently focused.
Main focus areas for the Security and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) for 2017 are issues that heighten risk for investors or that undermine the integrity of U.S. capital markets. Specific issues include:
- Investment advisors that have not previously been examined
- Recidivist representatives (investment advisers with a poor regulatory history)
- The consistent design and implementation of compliance programs across all offices of multibranch advisers
- Conflicts of interest for private fund advisors, including valuations, and appropriate levels and the allocation of fees and expenses
The OCIE also continues its previous focus on:
- Appropriate allocation of investment opportunities
- Possession of material nonpublic information
- Personal trading by fund partners
- Insider trading
- Foreign Corrupt Practices Act and anti-money laundering issues
From regulatory focus to investor concern
With the Trump administration seeming intent on providing some regulatory relief, funds may be tempted to relax their attention to some of these issues. However, it is important for funds to understand that many of these areas are no longer just the concern of regulatory authorities—they are also issues that investors are watching closely. Increasing investor interest in Global Investment Reporting Standards (GIPS) is one reflection of how investor due diligence is increasing, not just as investors select funds, but over the life of their investments.
Investors are now scrutinizing corporate governance issues at funds, including:
- The investment process
- Risk management
- Technology and cybersecurity
- Valuation issues
- Regulatory compliance
- Vendor selection and third-party management
This means that funds need to change their mindset to be attuned to both regulatory issues and best practices that investors will now expect. This new environment is driving up the initial and on-going costs of fund operations. Understanding and managing those costs will be vital to a fund’s success.
Getting a grip on cybersecurity
Cybersecurity should be a key area of operational focus for all funds. Both regulators and investors are deeply concerned about cybersecurity risks.
Findings from the NetDiligence/RSM 2016 Annual Cyber Claims Survey help illustrate this threat. This survey is based on the analysis of actual cyber insurance claims. Key findings include:
- Personally identifiable information, such as names, addresses, emails and Social Security numbers, accounted for 51 percent of the records exposed by data type. While funds may not have concerns about personal health care information and may have limited concerns about payment card information, all businesses, including funds, must protect personal data.
- Hackers and malware are the two most common causes of losses, but lost laptops or other devices, staff mistakes, and rouge employees together account for 50 percent of losses.
- Funds may think their employees would not intentionally cause or allow a data breach, and they would largely be correct, but 77 percent of the data breaches due to employees were unintentional mistakes—pointing to the need for increased security training.
Getting cyber insurance coverage does not mitigate all of the risks. The average cybersecurity insurance claim has dropped from a peak of $3.6 million in 2012 to $665,000 in 2016. This does not, however, mean that the cybersecurity threat is diminishing. Rather, it means that insurers have reduced the scope and increased exceptions for covering security incidents. The lesson here? While cybersecurity insurance can be a valuable part of your risk management effort, these policies are highly customized. You need to read your policy carefully to understand exactly what it does—and does not—cover.
Every fund has its own unique cybersecurity concerns, so each fund must develop a customized cyberrisk management strategy. However, funds can use the following threat modeling methodology to help them better identify their risks and plan their responses.
Funds need to answer four key questions:
- Who might attack you or otherwise cause exposure? Potential bad actors can include employees (remember, this includes both intentional and accidental acts), contractors (you can outsource functions, but you can’t outsource risk), customers, random attackers (such as random phishing attacks), focused attackers (those who have specifically targeted your fund) and state-sponsored attackers.
- How might they attack you? Attacks could come over the internet, through your internal network, through your wireless network, via email, through infected devices such as USB keys, or through the theft of devices, or in person or over the phone through social engineering attacks.
- What assets could attackers target? Assets could include customer records, employee records, your equipment (for example, through ransomware attacks) or Automated Clearing House (ACH) information or account numbers. Social Security numbers, credit card numbers, W-2 information and account numbers are particularly attractive targets.
- Why do you care? Attacks could carry financial risk, brand risk, operational risk or all three. Understanding the scope of risk associated with each potential scenario will allow you to make informed risk tolerance decisions and appropriately focus your mitigation efforts.
Considering those key questions will help you build a set of scenarios you can use to evaluate your cybersecurity exposure. Then, you must:
- Assess the likelihood of being affected by each scenario
- Develop a strategy to protect your fund from scenarios that carry sufficient risks
- Hedge your losses through cyber insurance (but be sure the insurance you buy protects you from the risks you are buying it for)
- In some cases, simply accept the risk. For example, ransomware attacks generally carry a relatively low cost and cause limited risk. You may decide it is better to simply address them as they come up rather than investing in a mitigation strategy. But be transparent with your board about such decisions.
Whether considering regulatory concerns, operational best practices or cybersecurity strategy, investors are demanding greater transparency and taking a much closer look at fund management than ever before. How you address these issues will directly affect your ability to raise capital.
For a deeper dive on these issues, listen to our webcast Impact of cybersecurity risks on capital raising efforts.