Upping the regulatory ante for asset managers

As outsourcing options proliferate, many organizations are increasing the depth and breadth of their use of third-party service providers. For asset management firms, using third-party providers can free them up to focus on their core competency of working directly with their clients and managing assets.

Almost every function that a registered investment adviser performs can be outsourced, which means that many of the internal controls and processes used to conduct their business and comply with contract requirements and regulations now reside outside their purview. RIAs upped their outsourcing of investment management activities to the rate of 32% in 2022 compared to 27% in 2020, according to a 2022 report from FlexShares and Northern Trust.

The increased use of third parties also increases the risk of cybersecurity incidents. It’s no surprise that the cyber insurance market is expected to grow from approximately $8.5 billion in 2021 to $14.8 billion in 2025, according to Cybersecurity Ventures. We also note investment in cybersecurity companies steadily increased with the shift to working from home brought on by the pandemic.

Citing the increased use of outsourcing activities by RIAs, the U.S. Securities and Exchange Commission has proposed a rule on the use of service providers. Based on the increased dependence on technology by advisers and funds, the SEC has also proposed rules to strengthen investment advisers' cybersecurity practices. The outsourcing rule is expected to be finalized in 2023, while the cybersecurity rules are expected to be finalized in 2024 at the earliest.

The SEC’s outsourcing rule would require RIAs to formalize their activities around their use of third-party service providers. Specifically, the rule would prohibit registered advisers from outsourcing "covered functions" to service providers that do not meet minimum SEC requirements. Covered functions are defined as those necessary for the adviser to provide services in compliance with federal securities law, and if performed inadequately could have negative material impact on the client or adviser. They may include services such as portfolio management, regulatory compliance, accounting and valuation. The proposed rule would require advisers to:

• Perform due diligence on a service provider, monitor its performance, and reassess it for retention purposes
• Maintain books and records related to due diligence and monitoring and monitor third-party record-keepers to ensure they meet required record-keeping standards 
• Report service providers on SEC Form ADV

The SEC has also proposed new cybersecurity risk management rules which would require “advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks." If adopted, the rules would require registered advisers to:

• Implement comprehensive written policies and procedures to address cybersecurity risks, review such policies at least annually, and maintain records of the annual reviews
• Cite cybersecurity risks and incidents in disclosure documents for existing and prospective clients
• Report significant cybersecurity incidents in new SEC Form ADV-C
• Engage fund boards in the oversight of the registered fund's cybersecurity policies and procedures

The SEC’s proposed rules on outsourcing and cybersecurity are inextricably linked. Engaging a third party increases cybersecurity risks, and outsourced service providers fall within the scope of the cybersecurity rules. In its 2023 examination priorities, issued in February, the SEC stated that its information security and operational resiliency examination would focus on "cybersecurity issues associated with the use of third-party vendors."

While they have yet to be finalized, both sets of proposed rules require that investment advisers tailor their outsourcing and cybersecurity programs to the adviser’s own “facts and circumstances." Here are a few considerations to get ahead of the rules:

• The outsourcing rule effectively calls for having a robust vendor management program, similar to an internal audit function. RIAs will need to actively manage outsourced parties from initial contract through termination of the business relationship. This may mean developing a monitoring program that includes people, process and technology to manage third-party providers.
• For the proposed cybersecurity rules, RIAs and investment funds should start assessing their cybersecurity policies and procedures and:
  • Consider what resources (in terms of time and budget) and people (such as those in the chief information security officer, chief technology officer, chief compliance officer and chief information officer roles) will be needed to implement the proposed requirements
  • Discuss and reach a consensus on what a "significant cybersecurity incident" means to their organization
• Consider any changes needed in the current team and governing board for both sets of proposed rules. RIAs often run lean operations and may need to supplement in-house talent to run both programs effectively. 

Middle market asset management leaders must be ready for these likely changes. Given the increased use of third-party providers and the cybersecurity risks involved, we expect regulatory scrutiny to continue. Streamlining processes and operations and leveraging technology will be imperative to survive and thrive in this environment.

Brian Lane, a senior director at RSM US LLP, contributed to this report.