Cyber Security and the Investment Industry

    Author Archives: kmco

    Cyber Security and the Investment Industry

    Cyber security has been a buzzword in business for a number of years. It is especially buzzworthy in the investment industry, where investor protection is of paramount importance.

    The New York Department of Financial Services (NYDFS) made recent headlines with its first-in-the-nation cyber security regulation, which went into effect in March. The regulation requires a set of minimum standards regarding the establishment and maintenance of a cyber security program for banks, insurance companies, and other financial service institutions regulated by the NYDFS, with protection of consumers’ private data in mind.

    The NYDFS is not alone in its focus on cyber security. Earlier this year, the U.S. Securities and Exchange Commission (SEC) announced that cyber security would once again be on the 2017 priority list for the Office of Compliance Inspections and Examinations (OCIE). The Financial Industry Regulatory Authority (FINRA) also included cyber security on its 2017 priorities list.

    The regulatory agencies have good reason for shining a spotlight on the issue. In recent years, a large investment adviser agreed to pay a $1 million penalty to settle charges related to failures to protect customer information and other investment advisers have also agreed to penalties for violations of Rule 30(a) of Regulation S-P (known as the “Safeguards Rule”).

    Going forward, OCIE and FINRA examinations will likely place a greater focus on cyber security compliance procedures and controls, as well as testing the implementation of those procedures and controls. Two specific rules the regulatory agencies will likely focus on are Regulation S-P and Regulation S-ID:

    Regulation S-P (17 CFR §248.30)

    • Policies and procedures play a critical role in cyber and information security. The SEC will now require organizations to adopt cyber security policies and procedures within their risk management programs that specifically address areas such as technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff/end user training.

    Regulation S-ID (17 CFR §248.201-202)

    • This SEC rule applies to the detection, prevention, and mitigation of identity theft. The SEC will now require organizations to proactively monitor, detect, and respond to cyber security incidents and breaches.

    In addition to Regulations S-P and S-ID, the Securities and Exchange Act of 1934 requires firms to preserve electronic records in specific formats. These regulations, amongst others, will be crucial aspects of OCIE and FINRA examinations.

    While the above list is a small subset of the regulations, it is important for businesses to understand that regulators are moving from cyber security controls as “best practices” to mandatory requirements for how businesses need to handle their cyber security posture. Investment advisers, broker-dealers, and other firms in the investment industry should expect cyber security preparedness to remain on the agenda.

    As more organizations adopt cyber security into their business process, the National Institute of Standards and Technology (NIST) has created a cyber security framework to aid organizations in addressing their cyber security posture. Firms may want to consider reviewing the NIST framework and comparing it to their own policies and procedures.

    We would be pleased to provide further information related to this subject. For more information, contact Craig B. Evans, Director, Audit & Accounting at cevans@kmco.com or Charles Sgrillo, Senior IT Security Specialist, Technology Solutions Group at csgrillo@kmco.com.

    Newsletter subscription

    You may also like:

    The Securities and Exchange Commission Shortens Settlement Cycle

    On March 22, 2017, the Securities and Exchange Commission (SEC) adopted an amendment to shorten the standard settlement cycle by one business day. Before this amendment, the execution, confirmation, clearance, and settlement would need to be completed in a three day cycle (T+3). This amended rule will apply to all transactions currently covered by the T+3 settlement cycle. These include transactions for stocks, bonds, municipal securities, exchange-traded funds, certain mutual funds, and limited partnerships that trade on an exchange.

    This change was the result of new technology, products, and growing trade volume. It is believed that the shortening of the settlement cycle will lead to increased efficiency and reduce risk for the end investor by reducing the exposure to broker-dealer default prior to settlement. It will allow for investors to have more timely access to funds after executing a sale. On the flip side, it will also require a quicker payment for securities purchased.

    With the implementation of the accelerated settlement cycle, firms should review their policies and procedures to see how the change in the settlement cycle will impact their operations.

    Broker-dealers will be required to comply with the amended rule beginning on Sept. 5, 2017.

    To assist broker-dealers, other securities professionals, and the investing public in their preparation for the implementation of a T+2 settlement cycle, the Commission has established an e-mail address – T2settlement@sec.gov – for the submission of inquiries to SEC staff.

    We would be pleased to provide further information related to this subject. For more information, contact Frank L. Varanavage, Manager, Audit & Accounting at fvaranavage@kmco.com

    Newsletter subscription

    You may also like:

    Kreischer Miller Presenting at 2nd Annual NYSSA GIPS Forum

    Second Annual NYSSA GIPS Forum

    May 17, 2017
    3:00PM – 8:30PM
    NYSSA Conference Center
    New York, NY

    To date, more than 1,200 firms have registered with the CFA Institute as claiming compliance with the GIPS Standards. This event will provide a forum in New York to discuss the most recent developments in the GIPS standards and share views on the challenges and opportunities of their implementation. The Forum will feature GIPS experts from the CFA Institute, GIPS committees, asset owners, and asset management firms and will rely on the active participation of the attendees for an exchange of ideas and to identify solutions for current implementation questions.

    Kreischer Miller director Thomas Peters will be speaking on a panel about the GIPS Technical Update at the Forum. We hope to see you there.

    More details about the Second Annual NYSSA GIPS Forum.

     

    Kreischer Miller Exhibiting at PMAR XV

    The Journal of Performance Measurement’s 15th Annual Performance Measurement, Attribution & Risk Conference
    PMAR XV

    May 9-10, 2017
    Hyatt Jersey City
    Jersey City, NJ

    Each year, the PMAR conference provides an opportunity for performance measurement professionals to learn about recent developments in performance, attribution, risk, and GIPS, as well as network with peers and gain new insights and solutions.

    Kreischer Miller will once again be exhibiting at this year’s PMAR Conference. Stop by and see us!

    More details about PMAR XV.

     

    Financial Industry Insights Over Lunch

    Tuesday, December 6, 2016
    11:30 AM – 3:30 PM
    Chubb Conference Center in Lafayette Hill, PA

     

    Join us for financial industry insights over lunch.
    Kreischer Miller and Cipperman Compliance Services invite you to get answers to your regulatory questions, participate in a valuable interactive discussion, and enjoy lunch with us at the Chubb Conference Center.
    Scheduled speakers include:
    • Thomas Peters, Director, Audit & Accounting, Kreischer Miller
    • Todd Crouthamel, Director, Audit & Accounting, Kreischer Miller
    • Richard Nelson, Director, Tax Strategies, Kreischer Miller
    • Todd Cipperman, Principal, Cipperman Compliance Services
    Program details:
    • Part 1: Todd Cipperman will assess the most impactful regulatory developments of 2016
    • Part 2: Richard Nelson will speak on recent tax developments and early thoughts on the election results
    • Part 3: Todd Crouthamel will touch on the question, “Are you prepared for greater fee scrutiny?”
    • Part 4: Thomas Peters will address where the standards are heading in regards to GIPS 2020
    A brief Q&A will follow.
    Please feel free to invite a colleague or friend to this event.

    Newly-Adopted SEC Amendments Require Increased Recordkeeping Obligations for Investment Advisers

    On August 25, 2016, the Securities and Exchange Commission (SEC) issued Release No. IA-4509 which adopted amendments that impact Form ADV requirements and various Investment Advisers Act rules. These amendments require additional, enhanced information relating to investment advisers’ separately managed accounts (SMAs), make clarifying and technical changes for other Form ADV items, and increase recordkeeping obligations for investment advisers.

    Form ADV is used by investment advisers to register with both the SEC and state securities authorities. The amendments to Form ADV primarily surround the disclosures and transparency related to separately managed accounts. The amendments require more in depth disclosures for borrowings, the usage of derivatives, asset allocation within SMAs, the use of social media, and level of information available for adviser office locations outside of the primary headquarters. For a full listing of amendments made to Form ADV, please refer to the Commission’s website.

    The SEC believes these enhancements will improve the depth and quality of information collected and facilitate their risk monitoring initiatives. In addition, current and prospective clients may use this information to learn more about investment advisers and make more informed decisions regarding the selection of investment advisors.

    Separate from Form ADV, the SEC is adopting two amendments to the Investment Advisers Act books and records rule, specifically rule 204-2(a)(16) and Rule 204-2(a)(7). These amendments increase the recordkeeping requirements for investment advisers surrounding investor performance materials and forms of written communication. Investment advisers were previously required to be registered with the SEC and maintain records of distributed performance materials when circulated to 10 or more parties. The amended Rule 204-1(a)(16) removes the 10 party requirement and mandates that investment advisers maintain these materials for all instances of distribution. Materials in scope were previously set forth as a requirement within Rule 204-2(a)(16), and will remain unchanged. In addition to the amended rule removing the 10 party requirement, the amended Rule 204-2(a)(7) requires the investment adviser to maintain all written communications received and sent relating to the performance or rate of return of any or all managed accounts or securities recommendations in their original form.

    The SEC believes these records will be useful in examining and evaluating adviser performance claims. Investors will benefit to the extent that the amendments reduce the incidence of misleading or fraudulent advertising and communications.

    The SEC also adopted amendments to remove rules relating to transitionary periods for exemption periods that have already passed but were not previously amended.

    The effective date for the aforementioned rule changes will be 60 days after publication in the Federal Register. Advisers will need to be in compliance with these amendments by October 1, 2017.

    We would be pleased to provide further information related to this subject. For more information, contact Eric Levandowski, Senior Accountant, Audit & Accounting at elevandowski@kmco.com.

    Newsletter subscription

    You may also like:

    Recently-Proposed SEC Rule Regarding Business Continuity and Transition Plans to Address Operational Risks

    On June 28, 2016, the Securities and Exchange Commission (SEC) proposed a rule that would require all SEC-registered investment advisers to adopt and implement written business continuity and transition plans to address operational risks related to significant disruptions.

    The proposal seeks to address an investment adviser’s fundamental operational risks that are caused by internal and external business continuity events. Such risks could impact the ability of an adviser to continue operations, provide services to his or her clients, and potentially transition the management of accounts to another advisor. It is the SEC’s view that “as part of their fiduciary duty, advisers are obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services.” While many advisers have already taken steps to address and mitigate the risks of business disruptions, the SEC seeks to enhance this process with this proposal.

    Under the proposed rule, the written business continuity and transition plans would, at a minimum, include policies and procedures concerning the following:

    • Maintenance of critical operations and systems, and the protection, backup, and recovery of data;
    • Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
    • Communications with clients, employees, service providers, and regulators;
    • Identification and assessment of third-party services critical to the operation of the adviser; and
    • Plan of transition that accounts for the possible winding down of the adviser’s business, or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory service.

    While the plans should meet this established criteria, advisers would be permitted to tailor the details of their plans based on the risks associated with their particular business model, including size, technological infrastructure, nature, and complexity of operations.

    SEC-registered investment advisers would also be required to retain copies of plans that are in effect or were in effect for the past five years while also implementing an annual review on the adequacy and effectiveness of their plans. During this time, they would be expected to consider any changes to the adviser’s strategic, operational, and regulatory environment that might suggest a need to revise the plan. A formal record documenting this review would also need to be maintained.

    The proposed rule is still in the review period and is open for public comment. Overall, the SEC is seeking input on various aspects of the proposal, such as scope, clarification, cost, and benefit of implementation.

    Some specific topics that the SEC is looking for feedback on are as follows:

    • Instead of all SEC-registered advisers, should the SEC identify only a subset of SEC-registered advisers that must implement such plans? If so, which advisers should be in such a subset and why?
    • Should all applicable advisers be required to include each of the proposed components in a business continuity and transition plan, or should certain advisers be exempt from including certain components? If so, why?
    • Will the proposed rule have any other implications for investment advisers that are also subject to other regulatory requirements regarding business continuity and/or transition planning (e.g., FINRA or CFTC rules)?

    Comments are due by September 6, 2016.

    We would be pleased to provide further information related to this subject. Contact us at 215.441.4600 with questions or for more information.

     

    Newsletter subscription

    You may also like:

    June 30 Deadline to Submit GIPS Compliance Form

    The deadline for registering your firm’s GIPS compliance is fast approaching.

    All firms claiming compliance with the Global Investment Performance Standards (GIPS®) are required to submit a GIPS Compliance Form to the CFA Institute as a notification of compliance. This is an annual filing requirement and firms have until June 30th of each year to submit the GIPS Compliance Form based on information as of the preceding December 31st. Firms failing to submit the form in a timely fashion will no longer be in compliance with the GIPS Standards.

    In addition, verifiers are required to test that the firm has properly notified the CFA Institute during the verification process. Firms should review their policies and procedures to confirm that they include the process for the preparation, review, and submission of the notification as verifiers are required to check this as part of the verification process.

    The GIPS Compliance Form can be found here.

    We will be happy to provide further information relating to this subject. For more information, contact Josh E. Kramer, Senior Accountant, Audit & Accounting at jkramer@kmco.com. 

     

    Newsletter subscription

    Related Content:

    A Reminder of the Changes to the FASB Consolidation Model

    In the first quarter of 2015, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No 2015-02, Consolidation (Topic 810) – Amendments to the Consolidation Analysis. This ASU was issued to respond to concerns surrounding the current generally accepted accounting principles (GAAP) that may require a general partner to consolidate an investment fund in which the general partner has little equity, but directs the activities of the fund on behalf of the limited partners. Financial statement users felt that deconsolidated statements were needed to better analyze a reporting entity’s economic and operational results, and this ASU was adopted in response to these concerns.

    Overall, the amendments in the ASU are considered an improvement because they simplify existing GAAP and provide more meaningful information to the financial statement users, specifically:

    • The number of consolidation models will be reduced through the elimination of a prior statement (the indefinite deferral of 167)
    • More emphasis will be placed on risk of loss when determining a controlling financial interest
    • There will no longer be a sole focus to consolidate due to a fee arrangement with another entity
    • Should result in fewer consolidations of limited partners, making general partner financial statements more meaningful to the users

    As a reminder, the criteria to consolidate under the new consolidation model are focused on the Variable Interest Entity (VIE) model, or the Voting model. Under this model, entities must consider:

    • Whether there is a variable interest, or whether the value of an ownership interest, a contract, or other relationship changes as the fair value of the related asset changes. Specifically, consider fee arrangements where there are management and incentive fees that change as the underlying net assets of a fund change. The fee contract is considered a variable interest, unless exempted, as noted below.
    • Whether there is a VIE that focuses on the kick-out rights of the limited partners. Where a simple majority of limited partners have kick out rights, consolidation is not required.
    • Identification of the primary beneficiary includes the power to direct the VIE, and the obligation to absorb losses and receive benefits of the VIE that could potentially be significant to the VIE. The new consolidation model exempts fees received from the VIE if those fees are commensurate with the level of effort required to provide those services, and the contract for those fees includes only terms that are normally found in arrangements for similar services. This change will often result in the analysis for primary beneficiary being entirely based on the equity investment by the GP in the limited partnership.

    In regards to the Voting model for consolidation, the ASU eliminates the presumption that a general partner controls a limited partnership, and a general partner will not consolidate a partnership based on the voting model.

    The new consolidation model will be applied to public entities for fiscal years beginning after December 15, 2015, and for all other entities, for fiscal years beginning after December 15, 2016. Early adoption is permitted, and the effect of adoption is reflected as a cumulative-effect adjustment to beginning equity in the year of adoption.

    While it is anticipated that the changes to the FASB consolidation model will result in fewer consolidations, entities will be required to re-evaluate their consolidation considerations. With the effective dates drawing closer, entities may want to consider preparing for the changes that will be required to their accounting policies and documentation surrounding their consolidation considerations and conclusions. Entities may wish to begin considering the following:

    • Determining the population of entities that require consideration: The revised consolidation model applies to all legal entities, and there are specific examples in the ASU regarding series funds / trusts that will likely result in each series being evaluated.
    • Reviewing the rights of the limited partners: Under the new consolidation model, the rights of the limited partners (specifically kick-out rights) are an important factor in determining whether an entity should be consolidated. Those entities where limited partners have substantive kick-out rights would not be required to consolidate.
    • Revisiting fee arrangements: As noted above, fee arrangements can represent variable interests, and analysis of whether these fees are normally found in arrangement for similar services is required in order to exclude these fee arrangements from the consolidation analysis.
    • Revising accounting policies and related supporting documentation regarding consolidation under the new consolidation model.

    Evaluating and planning for these items now should help reduce the burden on accounting departments and eliminate surprises in the year of adoption.

    We will be happy to provide further information relating to this subject. For more information, contact Frank L. Varanavage at fvaranavage@kmco.com or 215.441.4600.

    Newsletter subscription

    You may also like:

    5 Important Internal Controls for Cash Disbursements

    Everyone has heard a story about a seemingly great employee who has worked in the business for many years, who would never do anything wrong, and who treats the business like his or her own. And yet, that person is discovered using the company’s checkbook to pay personal expenses.

    The common theme in these stories is that the businesses were lacking proper internal controls, designed to both prevent and detect misappropriation of cash through disbursements.

    Here are five items to consider when evaluating your internal controls over cash disbursements.

    1. Segregate duties. The foundation of a good internal control system is segregation of duties. The duties of authorization (signing a check or releasing a wire transfer), custody (having access to the blank check stock or the ability to establish a wire transfer), and recordkeeping (ability to record the transaction in the accounting system) should be separated so that one individual cannot complete a transaction from start to finish. The concept behind segregation of duties is that in order to misappropriate cash, individuals would have to collude, rather than one individual acting alone.

    For many businesses, proper segregation of duties can be difficult to achieve.  In these instances, company owners may want to consider the bank statements delivered to them unopened. The owners should then review the bank statements and the check images for any transactions that appear unusual, and follow up on these transactions to obtain an understanding of them.  This process alone has uncovered many situations like the one described above.

    2. Review authorized signors. Carefully consider who your authorized signors are (authorization of the transaction). Those individuals should not have access to the blank check stock (custody of the asset) nor the ability to enter the transaction into the accounting system (recording of the transaction). The use of a signature stamp, although efficient, may be problematic in that you must have separate controls to ensure that the stamp is not readily available for inappropriate use.

    3. Consider requiring dual signatures. Your company may also want to consider the use of dual signatures. A dual signature policy includes the establishment of a dollar threshold over which checks require two signatures. The utilization of dual signatures establishes an element of segregation of duties for disbursements over a specified threshold in that these disbursements require more than one individual to authorize the transaction.

    4. Remember the wire transfers. The use of wire transfers has increased significantly over the years, and segregation of duties around wire transfers is paramount. The responsibilities for establishing a wire transfer should be segregated from the responsibility of releasing the wire transfer. If this segregation is not possible, consideration should be given to using a call-back procedure, in which the financial institution will call a specified individual when a wire transfer is initiated. Most important, the call back cannot go to any individual who is able to initiate a wire transfer.

    5. Reconcile bank accounts in a timely manner. The bank reconciliation should be completed in a timely manner by someone who is independent of the cash disbursement process. The bank reconciliation should also include a review of the bank statement and the check images that are returned with the bank statement for unusual transactions. Any unusual items should be investigated and evaluated when necessary.

    It is never too late to review your internal controls. While processes often vary among companies, implementing the items in this checklist should significantly reduce the likelihood of your business becoming the subject of another one of those stories.

    We will be happy to provide further information relating to this subject. For more information, contact Todd E. Crouthamel at tcrouthamel@kmco.com or 215.441.4600.

    Newsletter subscription

    You may also like:

    Newsletter Signup

    Kreischer Miller

    100 Witmer Road,
    Suite 350
    Horsham, PA 19044
    215-441-4600

    Services

    About Us

    Resource Center

    Career Opportunities

    © Copyright 2025 Kreischer Miller IIG
    miller-designworks-logoWebsite Design & Development by