OCIE Issues Ransomware Risk Alert and Creates Event and Emerging Risk Examination Team
On July 10, 2020, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert noting the increasing sophistication of ransomware attacks on SEC registrants and service providers to SEC registrants and then, on July 28, announced the creation of the Event and Emerging Risks Examination Team (EERT) as a part of OCIE.
The risk alert is notable for its encouragement of financial services market participants more broadly, and not just SEC registrants, to monitor Cybersecurity and Infrastructure Security Agency (CISA) alerts and for the specificity of the cybersecurity measures OCIE includes as recognized defenses to current ransomware threats. Although this latest risk alert reiterates OCIE’s January 2020 observations in its treatment of incident response, access management, and training and awareness as key cybersecurity measures to combat ransomware, OCIE has provided additional, more detailed observations on operational resiliency, vulnerability scanning and patch management, and perimeter security. This enhanced specificity in response to the specific threat of ransomware may assist financial services market participants in confirming that their information security program and anti-malware defenses are attuned to industry standards—as observed by OCIE—to defend against the troubling spate of recent ransomware attacks.
The EERT will examine, monitor, and engage with registrants to combat emerging threats and current market events to provide oversight to firms facing such risks or events and to help the SEC be well positioned to respond to significant market events or issues with systemic impact.
Consistent with SEC statements on the technological interdependence of the financial markets, both the ransomware risk alert and the creation of the EERT appear to acknowledge those practicalities and how that risk can be exacerbated by emerging threats, including cybersecurity events or other operational resiliency concerns.
SEC Issues Supplemental Guidance on Proxy Voting Responsibilities of Investment Advisers
On July 22, 2020, the SEC issued supplementary guidance for registered investment advisers to satisfy their proxy voting responsibilities pursuant to their fiduciary duty and Rule 206(4)-6 of the Investment Advisers Act of 1940. This latest guidance supplements the SEC’s prior guidance issued in August 2019 and is intended to address the SEC’s latest amendments to the proxy solicitation rules under the Securities Exchange Act of 1934, which were also adopted on July 22. Among other things, the supplementary guidance addresses how investment advisers should account for new information during the proxy voting process and proper policies when using automated voting services.
Learn more in our advisory: SEC Approves Proxy Voting Advice Amendments & Investment Adviser Guidance
SEC Adopts Amendments to Expedite Exemptive Applications
On July 6, 2020, the SEC issued a final rule to establish an expedited review procedure for exemptive applications under the Investment Company Act of 1940. Expedited review will now be available for applications that are substantially identical to at least two other applications when an order granting relief has been issued within the last three years. Generally, qualifying applications will receive notice of intent to grant the requested relief within 45 days from the date of filing. Additionally, the SEC has established an internal timeframe of 90 days to take action on applications that do not qualify for expedited review.
SEC Proposes Increase in Form 13F Reporting Threshold
On July 10, 2020, the SEC proposed several amendments to Rule 13f-1 of the Exchange Act, the most notable of which would increase the Form 13F reporting threshold from $100 million to $3.5 billion. The proposed increase is the first adjustment to the Form 13F reporting threshold since it was initially adopted in 1978 and is intended to account for inflation and growth in U.S. equities over the past 40 years. The proposed amendments would also require SEC staff to review the Form 13F reporting threshold every five years. If adopted, the proposed amendments should provide significant regulatory relief to smaller managers; however, larger managers that meet the reporting threshold will no longer be able to omit certain smaller positions (e.g., certain holdings of less than $200,000 aggregate fair market value).
CFTC Extends Fingerprint Relief
On July 17, 2020, the Commodity Futures Trading Commission (CFTC) announced that “in light of the continuing challenges resulting from the COVID-19 (coronavirus) pandemic,” it is extending the relief in CFTC Staff Letter No. 20-16 until September 30, 2020, or earlier if the National Futures Association (NFA) resumes processing fingerprints. Subject to the conditions in the staff letter, fingerprint cards for newly listed principals or applications for associated persons registration need not be submitted. The NFA is also extending parallel relief under its original Notice to Members I-20-20. Note, fingerprints must be submitted to the NFA within 30 days of the NFA’s resumption of fingerprint processing.
On July 10, 2020, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert noting the increasing sophistication of ransomware attacks on SEC registrants and service providers to SEC registrants and then, on July 28, announced the creation of the Event and Emerging Risks Examination Team (EERT) as a part of OCIE.
The risk alert is notable for its encouragement of financial services market participants more broadly, and not just SEC registrants, to monitor Cybersecurity and Infrastructure Security Agency (CISA) alerts and for the specificity of the cybersecurity measures OCIE includes as recognized defenses to current ransomware threats. Although this latest risk alert reiterates OCIE’s January 2020 observations in its treatment of incident response, access management, and training and awareness as key cybersecurity measures to combat ransomware, OCIE has provided additional, more detailed observations on operational resiliency, vulnerability scanning and patch management, and perimeter security. This enhanced specificity in response to the specific threat of ransomware may assist financial services market participants in confirming that their information security program and anti-malware defenses are attuned to industry standards—as observed by OCIE—to defend against the troubling spate of recent ransomware attacks.
The EERT will examine, monitor, and engage with registrants to combat emerging threats and current market events to provide oversight to firms facing such risks or events and to help the SEC be well positioned to respond to significant market events or issues with systemic impact.
Consistent with SEC statements on the technological interdependence of the financial markets, both the ransomware risk alert and the creation of the EERT appear to acknowledge those practicalities and how that risk can be exacerbated by emerging threats, including cybersecurity events or other operational resiliency concerns.
SEC Issues Supplemental Guidance on Proxy Voting Responsibilities of Investment Advisers
On July 22, 2020, the SEC issued supplementary guidance for registered investment advisers to satisfy their proxy voting responsibilities pursuant to their fiduciary duty and Rule 206(4)-6 of the Investment Advisers Act of 1940. This latest guidance supplements the SEC’s prior guidance issued in August 2019 and is intended to address the SEC’s latest amendments to the proxy solicitation rules under the Securities Exchange Act of 1934, which were also adopted on July 22. Among other things, the supplementary guidance addresses how investment advisers should account for new information during the proxy voting process and proper policies when using automated voting services.
Learn more in our advisory: SEC Approves Proxy Voting Advice Amendments & Investment Adviser Guidance
SEC Adopts Amendments to Expedite Exemptive Applications
On July 6, 2020, the SEC issued a final rule to establish an expedited review procedure for exemptive applications under the Investment Company Act of 1940. Expedited review will now be available for applications that are substantially identical to at least two other applications when an order granting relief has been issued within the last three years. Generally, qualifying applications will receive notice of intent to grant the requested relief within 45 days from the date of filing. Additionally, the SEC has established an internal timeframe of 90 days to take action on applications that do not qualify for expedited review.
SEC Proposes Increase in Form 13F Reporting Threshold
On July 10, 2020, the SEC proposed several amendments to Rule 13f-1 of the Exchange Act, the most notable of which would increase the Form 13F reporting threshold from $100 million to $3.5 billion. The proposed increase is the first adjustment to the Form 13F reporting threshold since it was initially adopted in 1978 and is intended to account for inflation and growth in U.S. equities over the past 40 years. The proposed amendments would also require SEC staff to review the Form 13F reporting threshold every five years. If adopted, the proposed amendments should provide significant regulatory relief to smaller managers; however, larger managers that meet the reporting threshold will no longer be able to omit certain smaller positions (e.g., certain holdings of less than $200,000 aggregate fair market value).
CFTC Extends Fingerprint Relief
On July 17, 2020, the Commodity Futures Trading Commission (CFTC) announced that “in light of the continuing challenges resulting from the COVID-19 (coronavirus) pandemic,” it is extending the relief in CFTC Staff Letter No. 20-16 until September 30, 2020, or earlier if the National Futures Association (NFA) resumes processing fingerprints. Subject to the conditions in the staff letter, fingerprint cards for newly listed principals or applications for associated persons registration need not be submitted. The NFA is also extending parallel relief under its original Notice to Members I-20-20. Note, fingerprints must be submitted to the NFA within 30 days of the NFA’s resumption of fingerprint processing.