We write in support of the purpose and the direction of, while also providing specific comments and further recommendations with respect to, the abovementioned Proposed rulemaking to amend Form PF, the confidential reporting form for certain SEC-registered investment advisers to private funds to require current reporting upon the occurrence of key events and other requirements for advisers to certain types of funds, as published in 87 Federal Register 9106, dated February 17, 2022 (the “Proposed Amendments”) by the Securities and Exchange Commission, for which comments are requested by March 21, 2022.
I. Comments Focused on Proposed “Item H. Operations Event”
This comment letter focuses on the aspects of the Proposed Amendments which would require new and more timely reporting on events affecting the operation of the respective fund or its adviser, in particular in a new Item H regarding an Operations Event. In summary, while we believe the SEC should require the reporting of this type of operations event, we do not believe that such reporting should be incorporated within the broader proposed amendments to Form PF. Rather it would better further the policy interests of the SEC to require such incidents to be reported separately. Particularly to identify potential systemic risks, it would be better to align this reporting more with rapidly evolving incident reporting approaches for other SEC regulated entities, other U.S. financial services providers and critical infrastructure components, and under analogous regulatory requirements in other jurisdictions.
II. Summary of Conclusion and General Comments
We write in support of the revisions in the Proposed Guidance. This comment letter will provide more detailed comments on the following aspects.
- Operations events should be the subject of reporting, including because they can have systemic risk implications.
- The SEC as well as other financial regulators are working to increase and formalize reporting requirements for incidents and operations events in shorter time periods.
- Such reporting requirements are part of broader emphasis on such reporting for U.S. critical infrastructure, as well as in foreign jurisdictions.
- The reporting of operations events is unlike the broader categories of proposed expanded Form PF reporting in terms of content, time relevance, parties involved, etc.; and integration of this information within Form PF would complicate future efforts to harmonize aspects of reporting to better understand and react to potential systemic risks.
- It is important to continue to emphasize that operations events go beyond cybersecurity incidents.
- To be effective, entities directly regulated by the SEC and subject to reporting requirements will need to obtain, at least as contractually agreed, timely notifications from their service providers, including through subcontractor chains.
- Shared solutions are appropriate and can be viable, effective, and efficient not only at the level of due diligence, but throughout the risk management life cycle, and in reporting among counterparts, or on behalf of regulated entities directly to the SEC or other regulator.
III. About the Commentators
This comment is submitted by CRINDATA, LLC, (www.CRINDATA.com) which offers solutions to financial institutions for managing operational risk in their reliance on third party service providers. Underlying many aspects of the Proposed Amendments is the structural framework under which a reporting fund must rely on an adviser as well as a range of distinct service providers in order to operate.
CRINDATA offers unique cloud-based solutions to financial institutions who must pro-actively manage their critical third-party relationships (including their indirect relationships with subcontractors) and must prepare for and mitigate business disruptions management and cybersecurity events originating anywhere in the chain of service providers and subcontractors. Concurrently, CRINDATA helps third party service providers like custodians, core systems, payments providers, and transaction motoring solutions, by substantially simplifying the due diligence interactions with financial service companies and by providing a complaint, common platform and communications to manage business disruptions and cybersecurity events when they occur. The platform serves needs across multiple jurisdictions applying similar, evolving risk management principles. The authors of this comment letter are CRINDATA’s co- founders, Mark Stetler and James H. Freis, Jr. Mr. Freis as the primary author draws upon his experience working together with the SEC while serving as Director of the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), and in a range of other roles on behalf of government and private sector groups including SEC-regulated entities.
IV. Operations Events – Trend towards incident reporting and opportunity to promote further harmonization; not to include in Form PF
We believe it a very important step for the SEC to require the concept underlying proposed section 5, Item H, for an adviser to report when the adviser or reporting fund experiences a significant disruption or degradation of the reporting fund’s key operations, whether as a result of an event at the reporting fund, the adviser, or other service provider to the reporting fund. This would further the goals underlying the expansion of reporting following the Dodd-Frank Act, and the policy goals of investor protection and mitigation of systemic risks. To be clear, operational events can have systemic risk implications.
Such reporting would be consistent with other SEC initiatives. Reference is made to the notification requirements under the Securities and Exchange Commission’s (SEC) Regulation Systems Compliance and Integrity (Regulation SCI) which was developed, inter alia, in light of the dependency of the securities markets on evolving technology and vulnerabilities to outages including in connection with cyberattacks. Notably, a covered entity is required both to make an “immediate” notification to its Federal regulator of an incident; followed within 24 hours on a “good faith, best efforts basis” by a notification of event and assessment to the extent available at that time; and at later times more detailed impact assessments. More recently, the SEC has published for comment a proposed rule that would include new reporting requirements for the subset of operations events that are significant cybersecurity incidents, by investment advisers, registered investment companies, and business development companies.
Particularly instructive for the SEC, and essential for efforts of the Financial Stability Oversight Council to monitor potential systemic risks, should be the new reporting requirement by the U.S. Federal Banking Agencies – the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. That final rule will require a banking organization to notify its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident,’’ as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. Regulated entities as well as their service providers are currently preparing for implementation of that new rule with effective date of April 1, 2022 and compliance date of May 1, 2022.
The trend to require additional reporting of incidents or operations events will only continue. On March 15, 2022, the President signed into law the Consolidated Appropriations Act, 2022. That broader appropriations law also contains the ‘‘Cyber Incident Reporting for Critical Infrastructure Act of 2022 which authorizes rulemaking for incident reporting across a broad range of actors (including components of the financial sector) and calls for coordination with any analogous reporting requirements by other government agencies. Other jurisdictions are following analogous paths to mandate incident reporting. One prominent example is the European Union’s proposed Digital Operations Resilience Act (DORA),6 for which a revised proposal after a round of public consultation is expected soon.
This broader context should be understood as strong support for the policy goal of the SEC requiring additional reporting of relevant operations events, and in moving forward with the rule without delay. That notwithstanding, the broader trend towards such reporting also emphasizes the difference between this aspect of reporting and the other financial and operational details that the SEC requires currently and would expand through the proposed amendments to Form PF. Implementing such changes as part of Form PF not only appears out of place, but would make more difficult the goals sought by the SEC and a range of other government entities to obtain and be able to share information about incidents and indicators of systemic risks; it would also raise the complexity, costs, and make more difficult for the regulated industry to timely notify reportable incidents. One of the reasons for this is that the parties involved in reportable incidents often will include broader IT service providers and sub-contractors that are not specifically focused on the regulations at broader issue in the Proposed Amendments to Form PF; rather an operations event or incident affecting an entity such as a cloud services provider could in the future trigger directly or indirectly through affected chains of customers, reporting to a broad range of government entities.
V. Specific Comments and Responses to Request for Comment Questions
The following provides specific comments on the proposed current report in section 5, Item H regarding a “Operations Event.”
40. Will this proposed reporting requirement provide us with notice of operations events that may have serious implications for the fund, its investors, and financial stability?
Yes. Please see above regarding the importance of this type of reporting regarding operations events, but with a recommendation that it be required separate from Form PF.
41. Does the definition of ‘‘operations event’’ provide a clear, objective trigger for reporting? Would advisers be able to assess this during an operations event? We proposed a principles-based approach for reporting of an operations event that is a ‘‘significant’’ disruption or degradation of the adviser’s operations and for operations that are reasonably measurable, we would view a 20 percent disruption of degradation of normal volume or capacity as ‘‘significant.’’ Are we correct that certain disruptions may not be quantifiable? Do commenters agree that a 20 percent disruption or degradation of normal volume or capacity indicates that an event is ‘‘significant?’’ Should the reporting event include a time frame to measure a 20 percent disruption or degradation? If so, what time frame? Should it be over one business day or over one month? Do advisers’ compliance programs typically include benchmarks that could be used to measure a 20 percent disruption or degradation? Are there other potential approaches for an operational events trigger?
The definition and this question include multiple different aspects as to the nature of an event requiring reporting, and also to a materiality threshold.
- With respect to operations event, we suggest that in addition to the definition it is useful to provide and continually update examples in guidance with respect to reportable incidents. That notwithstanding, a general principle should prevail in that it is an aspect that meets any of the following requirements: (i) impairs the operation of the fund, including the risk of operational loss—this is included in the first three boxes under proposed 5-29; (ii) negatively impairs investors in a fund (for example, an operational incident that prevents withdrawal might not impact the fund itself but has a negative liquidity impact on an investor) — this is not included in proposed 5-29; (iii) or causes the failure to meet regulatory requirements such as ongoing risk management monitoring (regardless of whether a risk materializes, this may include the absence of a risk mitigation tool) — this is included in the fourth box under proposed 5-29.
- As to materiality threshold, we agree that it is useful to require that the disruption be “material” or “significant”. We do not, believe, however, that a numerical threshold such as 20% is useful for a fund or an adviser. In the nature of the business, an operations event such as the failure of a system is likely on/off, black/white, and it does not help, certainly not in terms of timely reporting of an incident, to expect a numerical threshold such as might be the case in other reporting areas such as a market value movement of certain assets by 20%. In a large broker-dealer, it might be possible that a threshold be applied, such as if a pandemic caused 20% of staffing in a control division to be unavailable, but this hardly appears relevant for a fund or adviser.
- Regarding timeliness, it is recommended that the SEC adopt a provision similar to that of the new rule by the Federal Banking Agencies that the operations event may last more than four hours (or alternatively a business day). The issue is that there is a disruption — it is unlikely to be useful, and rather is counterproductive to timely reporting to try to project the timing for a longer period such as a month. Moreover, timely initial reporting of an operations event does not lend itself to a numerical percentage threshold.
42. Are we correct in our understanding that many large hedge fund advisers maintain sophisticated back office operations or already engage service providers that would be reasonably able to measure whether an event has impaired their key operation beyond a 20 percent threshold? Are there any other objective measures gathered by advisers or their service providers that could be utilized as a trigger for this reporting event?
As per the response to question 41, it is unlikely that this would be effective. More objective for service providers would be the failure to provide the services as agreed for a minimum period of time. Since a service availability is a common aspect of a Service Level Agreement, this is commonly measures and monitored.
43. Will the checkboxes provided to describe the circumstances of the ‘‘operations event’’ provide us with sufficient detail regarding the operational issue and its potential severity? Should we amend, add, or remove any of the check boxes? Is the check box for force majeure events appropriate, or does it have the potential to cause numerous notifications during certain widely applicable disaster events like a pandemic or large hurricane?
The checkboxes proposed are similar to elements in other incident or operations event reporting of an initial report, but do not lend themselves to ongoing updates or more detailed reporting. Again, this suggests that it is not prudent to attempt to include this class of reporting within Form PF.
As to different aspects:
- Date and time of each of the first occurrence, and discovery are common reporting elements. (Time of day might be relevant, for example if during trading hours.) A third date/time element should be included as to when the event or incident is materially mitigated.
- The category of whether an event occurred internally, at a specific service provider (see also next question) or externally is important.
- Reporting of force majeure events is important. There is no reason to assume in the modern age that institutions would be affected similarly by all but the most calamitous force majeure events. For example, a flood might only impact a tenant having a computer system in a lower level, or not at all if the data is processed by a cloud provider.
44. Should we require an adviser to indicate whether the operations event is caused by a service provider and require the adviser to provide information regarding the service provider, as proposed? Should we define the term ‘‘service provider’’ for these purposes? Should we require reporting only for those service providers listed in Form ADV, Schedule D for the private fund? Are there some operations events that could be caused by a third party that is not a service provider to the reporting fund or adviser? If so, should we require an adviser to provide information regarding such a third party?
It is essential to include service providers in order to fulfill the purpose of such reporting. It appears to be less important to define “service provider” than to indicate that a negative impact on operations should be reported, regardless including if provided by a third party service provider.
It is not sufficient to include only the service providers in Form ADV, Schedule D (auditor, prime broker, custodian, administrator) for the private fund. The failure of other IT service providers of the fund or sub- contractors or sub-outsources of the Schedule D delineated entities could cause a material disruption.
One of the most important lessons which the SEC could draw from the new incident reporting rule of the Federal Banking Agencies, is that incident requirements should be implemented through the regulated entity to all relevant entities, including outsourcing or subcontractor chains, to any entity for which a disruption could have a material negative impact on the regulated entity. Even if the SEC does not have direct regulatory authority over such third party service providers (such as that granted to the Federal Banking Agencies under the Bank Service Company Act), the SEC could impose expectations that its regulated entities contractually agree with relevant service providers to inform them of incidents, disruptions or operations events likely to lead to reportable events. This is a longstanding best practice across regulated entities in multiple jurisdictions.
Finally, it is relevant as proposed that the reporting with respect to service providers include full legal name, a unique identifier such as LEI where available, and identify the class of effected services. This information is essential to the ability of the SEC to quickly identify potentially systemic risks, in terms of a service provider to multiple industry participants. Such reporting solutions are reasonably available, including offerings by CRINDATA, which can be seen at www.crindata.com.
45. Should we define ‘‘key operations’’ as proposed? Are there any activities that we should add or delete from the definition? For example should key operations also include the operation of the reporting fund in accordance with major contractual commitments to the reporting fund’s investors and/or counterparties? For example, should it be considered a significant disruption or degradation of key operations if an issue at a service provider degrades the fund’s ability to measure its positions or communicate certain information to counterparties pursuant to contractual notice terms?
We suggest that the key operations should include servicing investors, as also mentioned in response to question 41.
46. As an alternative to defining ‘‘operations event’’, should we require current reporting by advisers whenever they initiate a business continuity plan? Would the initiation of a business continuity plan be a simpler trigger to apply? Would the initiation of a business continuity plan as a reporting event result in too many current reports about events that could not lead to investor harm or systemic risk? Would it miss important operations events that could lead to investor harm or systemic risk? Should we be concerned that advisers might delay initiating a business continuity plan so as to avoid reporting?
The triggering of a business continuity plan per se does not appear to be a good proxy for the information otherwise sought in the rule. Such trigger could be either under-inclusive or over-inclusive, such as whether successful operation of the business continuity plan mitigates the risk. It would be better to include the effect of a business continuity plan or other contingency measure in mitigating risks, where available in initial reporting, but also as part of reporting updates over time.
47. Should we require an adviser to indicate whether it has initiated a business continuity plan relating to the operations of the adviser or reporting fund, as proposed? Does the initiation of such a plan provide the Commission with indications of potential stress at the fund or its adviser?
See response to question 46.
Comments to other specific issues:
Item K. Explanatory Notes: This section of the proposed Form PF would allow for additional information helpful in understanding the information reported in response to any Item in section 5 of this form. It is nonetheless unlikely to be helpful if operations events require additional elaboration in Item K. Initial notification of operations events should be factual, and provided in a structured way, which allows the SEC to assess risks to a fund or adviser, as well as potential broader systemic risks. Subsequent updates should provide more detail, including when the event is resolve. This comment further illustrates why the proposed Form PF is not an appropriate vehicle for reporting operation events.
Fees. While we have no objections to fees in connection with filing reports generally, in particular quarterly or annual disclosures, it could be counterproductive for the SEC to require a fee to provider an indication of potential operations events about which the SEC wishes to be made aware on a timely basis, as well as updates as the situation changes. The reporting entity will likely have much higher costs (if nothing else in lost management time) when an incident occurs than the filing fee itself. Requiring an additional fee for an early report of an operational incident also appears contrary to the trend of other such required reporting. Again, this illustrates the reporting under proposed Item H, while important, does not fit in the broader context of the proposed changes to From PF.
Such reporting would be consistent with other SEC initiatives. Reference is made to the notification requirements under the Securities and Exchange Commission’s (SEC) Regulation Systems Compliance and Integrity (Regulation SCI) which was developed, inter alia, in light of the dependency of the securities markets on evolving technology and vulnerabilities to outages including in connection with cyberattacks.1 Notably, a covered entity is required both to make an “immediate” notification to its Federal regulator of an incident; followed within 24 hours on a “good faith, best efforts basis” by a notification of event and assessment to the extent available at that time; and at later times more detailed impact assessments.2 More recently, the SEC has published for comment a proposed rule that would include new reporting requirements for the subset of operations events that are significant cybersecurity incidents, by investment advisers, registered investment companies, and business development companies.3
Shared solutions. Shared solutions are appropriate and can be viable, effective, and efficient ways for service providers to report to their various counterparts, or on behalf of regulated entities directly to the SEC or other regulator. The SEC should encourage or allow such reporting on behalf of its regulated entities, just as other regulators are implementing.
