Cybersecurity: a growing risk imperative #CFOandCOO

I’m attending the PERE CFOs & CCOs Forum. These are my notes from the session.

PERE

On a scale of 1 to 5 the attendees created a classic bell curve on how confident we felt about our cybersecurity programs, with most choosing “3.”

The panel labeled social engineering as the upcoming threat. There were several stories of fake invoices coming from outside the firm, spoofed to look like it was coming from within the firm. The other example was malware injected into the it system by a junior person opening a malware file sent through email.

Cybersecurity should be part of the regular compliance training. Focus spoofing and phishing prevention training on those who can move funds or authorize funds to move.

Cybersecurity is now a common item on SEC exams. Be ready to answer questions.

Hackers tend to be opportunistic. They need to see a weakness or they are more likely to move on to another target. The scary problem is when our firm is specifically targeted.

The panelists seem to have some strict rules on the use of personal email. The challenge is that younger workers are used to collaborative tools and easier access to information.

For mobile devices, the standard is to be able wipe the phone remotely in case it is lost to keep information secure. Make sure everyone knows to quickly report a lost phone.

Cybersecurity is part of fundraising. It is a very common item on investors’ due diligence questionnaires. Although probing beyond the questions tends to be limited.

Cyberinsurance is becoming more common. The coverage is expanding. It covers losses. It does not necessarily cover all of the incident response.

An Update from the SEC #CFOandCOO

I’m attending the PERE CFOs & CCOs Forum. These are my notes from the session.

PERE

Bruce Karpati interviewed Igor Rozenblit, Co-head of the Private Fund Unit at OCIE, Securities and Exchange Commission. Of course, Igor’s views are his own and do not necessarily reflect the views of the SEC or the Commissioners.

Prior, when Bruce was at the SEC he interviewed Igor and hired him to join the SEC.

Igor’s group audits industry participants. A different group is responsible for making regulations and the enforcement unit is responsible for enforcement. Igor helps to train examiners so they know the difference between property management and fund management.

Real estate is a small portion of the SEC’s oversight. Hedge funds and private equity funds and managers are more numerous than real estate. They see more complexity and more conflicts with real estate managers.

They just completed a real estate initiatives focused on value-add and opportunity funds. It is still continuing. Some of the concerns.

Undisclosed related party vendors is the first. He mentioned spinoffs of managers units and then having the manager engage that unit as a fund expense.

Partially disclosed is next. The manager discloses the relationship, but not the full scope of expenses.

Market-rate. He has not had an exam where the market rate was supported. They have found managers with counter-support. The manager charges less to third-parties than to the fund. He offered no specific way to prove market rate to the satisfaction of the SEC. His recommendation was third-party market surveys.

Chargebacks should have three components. First is clarity about what is charged to the fund. The SEC views ambiguity against the fund manager. The default should be to the benefit of the investor.

In-house legal expenses charged to the fund are a noted problem. The fund documents typically provide for the fund pay legal expenses, but the manager to pay for personnel expenses. Igor’s position is that the in-house legal should be a manager expense unless explicitly provided in the fund documents.

The second is comprehesiveness of disclosure. It needs to be broader than just to the Advisory Board.

The third is timeliness. Disclosure after the fund closes is insufficient.

Valuation is a key focus. Real estate is the classic hard to value asset. The SEC is looking for a good process and not a single person controlling the valuation. Lots of review and approval is good in the eyes of the SEC.

One evolving area is fund managers controlling assets moving from fund to fund for distressed debt. It intertwines the manager on both sides of the transaction and has a valuation issue.

There are 500 SEC examiners focused on asset management. There is a variation among regions and among the different examiners. Igor’s Unit plays a key role in targeting managers for examination.

Onsite will vary depending on location and complexity. Typically it lasts a week. Then it continues back in the office with SEC likely asking follow-up questions and asking for more documents.

To prepare for an exam, Igor thinks you take a holistic approach and identify risks ahead of time. Make sure you are aware of them and are dealing with them.

Intangibles during the exam are key. Do not be combative. Be likable. Do not try to hide something, DO not look like you are trying to hide things.

He does not think the speed of document production is key, accuracy is more important.

Looking for fraud is what they do. The exam can turn investigative if the examiners finds problems.

How to avoid enforcement? Stealing money gets you in enforcement. Units may be looking to send a message to the industry and can use enforcement to do so.

Igor expects the CCO will quarterback the exam and the CFO will have a big role addressing the finance function.

There are few options for fixing SEC discovered conflicts in closed funds. One solution is approval of the advisory board if the fund documents allow the board to approve conflicts. Otherwise it requires changes to fund documents.

Igor noted that the Investment Advisors Act’s anti-fraud provisions have applied to fund managers regardless if they are registered. It’s just the post-Dodd-Frank registration that has given the SEC the ability to exam registered real estate fund managers and given the SEC more insight into the industry.

The use of joint ventures is a point of focus for the SEC. The SEC is concerned about potential conflicts in the relationship. IN particular if senior management of the fund manager has other business relationships with the joint venture partner.

Igor has found that outsourced compliance is not doing the robust job the SEC expects. He noted an outsourced CCO who did so for several dozen firms. Of course, the expense needs to be determined as to whether it is a fund expense or a manager expense.

Make sure you are treating your investors fairly.

Even a sophisticated investor can not detect that it is being charged more than bargained for if the investor does not have access to the information.

Why is valuation important when fund managers are not paid on unrealized gain. One is the use of higher valuations in marketing. The second is in taking a deal-by-deal promote based on the higher valuation.

Cyber risk is important for real estate fund managers. Don’t let hackers get at your stuff.

Doing Business in Europe Today #CFOandCCO

I’m attending the PERE CFOs & CCOs Forum. These are my notes from the session.

PERE

Most of the attendees are using private placement to get into Europe, with the rest split between a parallel Europe fund and reverse solicitation.

AIFMD arrangements are possible with a third-party who has the AIFMD passport. The non-EU firm acts as a subadvisor.

Reverse solicitation is grey area. It can’t be used for a large input of European investors.

Private placement regimes will terminate in 2018 and AIFMD will take over fully. Currently, using the private placement regime requires a great deal of local knowledge of the individual regulatory regimes in each country.

Setting up a new European-based manager for a parallel fund is a solution. That requires more money and more people (and that means more problems).

There is a new Luxembourg investment vehicle type called a RAIF that allows easier use of AIFMD. European investors would come in through this entity. You do not need to submit a prospectus approved. You can also use it for multiple funds. Cells under the RAIF would invest in the fund.

AIFMD has the requirements of a depositary and disclosure of renumeration. You can deal with these, but it’s difficult. The reporting is time-consuming.

The renumeration rule has three boxes. If you have your own AIFM, then you need to report pay of key personnel. If you use a third-party AIFM that subcontracts the management back to the manager, you still may need to report your key personnel. The Annex 2 Guidelines govern the compensation disclosure and variables.

The key control is to have the fund manager control the bank accounts and not allow the appointed-AIFM to control the bank accounts. The AIFM is merely an adviser it does not legal authority to act on behalf of the fund manager.

There are grey areas around the difference between a joint venture and pooled-fund. If the investor has significant control, it may not be a fund subject to AIFMD.

The view is that may take tens of million, if not hundreds of millions of AUM from Europe to justify the cost of being AIFMD compliant.

Sources:

Where Are We Now? #CFOandCOO

I’m attending the PERE CFOs & CCOs Forum. These are my notes from the session.

PERE

Operations are increasingly the difference maker in an environment of declining revenue per AUM. If we are going to be a cost center, we should be the best.

International operations takes up a disproportionate amount of time. Investing overseas has a lot of regulatory hurdles. There are some overseas markets that it is really hard to do business and meet the legal and regulatory requirements of the US. Getting overseas investors is an even bigger hurdle. Getting it right is a value-add proposition for your firm.

Most attendees rated themselves “moderate” in terms of legal/regulatory/compliance risk. A third rated themselves “ultra conservative” and small as “aggressive.”

Complexity is a cost to the bottom line to deal with those legal and regulatory burden.

Everybody in the firm is marketing firm. In a culture of compliance, you want everyone to be their own compliance officer.

Finding people to fill roles that understand the business and understand the compliance requirements is hard. Then you need really good communicators that can distill complex issues into an easy to understand package. More is not necessarily better.

There is great consternation of the unintended consequences of regulations. Private equity real estate is a tough fit for the existing SEC regulations.