Compliance September 10, 2021

SEC Sanctions Offer New Cybersecurity Guideposts

One former SEC enforcement leader says actions against several advisory firms that allegedly had cybersecurity failures make a clear case for the use of multifactor authentication—but that’s just the beginning of cybersecurity.
Reported by

The U.S. Securities and Exchange Commission (SEC) recently announced it was levying a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures.

Want the latest retirement plan adviser news and insights? Sign up for PLANADVISER newsletters.

According to the SEC, the failures led to pernicious “email account takeovers” exposing the personal information of thousands of customers and clients at each firm. The SEC says the eight firms, some of which operate collectively, have agreed to settle the charges, together paying $750,000 to settle the matter without formally admitting fault or wrongdoing.  

The SEC’s order against one of the entities alleges that, between November 2017 and June 2020, cloud-based email accounts of more than 60 firm personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of more than 4,000 customers. According to the SEC, none of the taken-over accounts were protected in a manner consistent with the registered firm’s stated policies and procedures.

In a new interview, called to discuss the sanctions and the SEC’s expanding focus on connected issues, two expert attorneys with Baker McKenzie—Peter Chan and Valerie Mirko—say the ball is just getting rolling when it comes to SEC enforcement actions related to cybersecurity failures. Chan is a member of Baker McKenzie’s North American Financial Regulation and Enforcement Practice who spent 20 years working in senior enforcement roles at the SEC, and Valerie Mirko was general counsel at the North American Securities Administrators Association (NASAA) prior to joining Baker McKenzie.

Notable to the dialogue, presented in summary below, is the fact that Chan served as assistant regional director in the SEC’s Chicago regional office, where he led investigations and litigations of high-profile enforcement cases. Additionally, as the head of the Municipal Securities and Public Pensions Unit at the SEC’s Chicago office, he oversaw cases involving municipalities and public pensions throughout the Midwest, including disclosure failures by states, cities and underwriters in municipal bond offerings; pay-to-play and public corruption; and securities fraud victimizing municipalities and public pensions. For her part, Mirko’s prior experience includes providing advice on, among other areas, the SEC Regulation Best Interest (Reg BI) rule set, the fiduciary duty/standards of care, Employee Retirement Income Security Act (ERISA) pre-emption, retail enforcement issues, investment adviser oversight and data privacy.

 

PLANADVISER: Before we examine the SEC’s cybersecurity enforcement, can you both please comment on the agency’s activities during the early days of the Biden administration and under the leadership of the new SEC Chair Gary Gensler?

Peter Chan: So far, we are largely seeing what we expected in terms of elevated enforcement activity. Since Labor Day, in fact, it seems that SEC enforcement actions have picked up even more significantly.

When you think back to the prior administration, there was significant enforcement activity as well, much of it focused on retail investors. Under the new chair, Gary Gensler, I think we have seen the enforcement focus become somewhat stronger, but also broader. Our sense is that the policy focus and boundaries are broadening, for example in terms of cybersecurity, but also in terms of, as another example, reviewing the regulation of digital assets in a potentially very aggressive way. I also think that, as Chair Gensler has mentioned directly, the SEC is not going to shy away from addressing big market structure issues—and using enforcement as opposed to merely guidance to do so.

Valerie Mirko: I agree with that. The SEC’s mission has been pretty stable for the past several administrations, with the focus on protecting retail investors. Of course, there is always some change in the types of enforcement cases that ultimately are pursued.

 

PLANADVISER: What do you make of the SEC’s recent enforcement actions that focused on cybersecurity failures—and, specifically, the use, or lack of use, of multifactor authentication?

Mirko: The three enforcement actions that came out at the end of August have already been coming up a lot in our discussions with clients. One practical takeaway is that the SEC has signaled an expectation that multifactor authentication, or ‘MFA,’ should probably be in place for email accounts operated by registered entities. The assumption is that these are email accounts being operated by people who are likely going to have access to sensitive information, so the SEC believes MFA should be in place as a matter of course.  

In a way, this is a departure from earlier SEC cases, which focused much more on the lack of stated cybersecurity policies and procedures. The current enforcement actions are actually looking closely at the content and execution of the stated procedures. For example, if you say in your procedures that you use MFA and in practice you do not, that is automatically an issue. Or if a firm had a third-party account takeover and it turns out its policy did not address using MFA, that’s a problem.

Chan: I would just add that MFA is expected, we can say, but it’s not enough and it’s not the end of cybersecurity innovation. Both Valerie and I know from prior experience that the SEC, as a regulator, is careful about making absolute policy prescriptions. In this case, there is a strong endorsement of MFA, but the bigger message is that advisers and others who have a duty to protect customer information are expected to evolve and to be fully caught up with the latest type of attacks and the latest type of protection. We need to be careful and note that the SEC is promoting best practices that are currently considered to be reasonable and effective. Three to five years from now, MFA might not be enough, and the SEC’s view on reasonableness will have evolved.

Focusing on the protection of information is the key here. For the SEC to sanction eight firms and to announce it in one press release, it is sending a message. Advisers must be alert to the changing cybersecurity environment.

 

PLANADVISER: Does it make sense for firms to be trendsetters in this area? For example, would a firm want to explore relatively novel security technologies such as voice print authentication or facial recognition?

Chan: I don’t know that I would go as far as recommending any specific technology like voice or face recognition. What we can say is that, from a regulatory hygiene perspective, it is better for the industry as a whole to lead in terms of answering what is the right approach to cybersecurity—versus having the regulators try to do it. That’s the way it should work best. If the SEC sees that the industry as a whole has taken the lead and is taking cybersecurity seriously, there is going to naturally be less incentive to control and dictate. If the whole industry is not moving forward together, it is inviting regulatory intrusion.  

 

PLANADVISER: And can you share any advice or insight for firms that experience a negative cybersecurity event, such as an email breach or a network intrusion?

Mirko: I think the most important thing for firms to do is to not wait until there is a cyber intrusion to put a response plan in place. This means taking the time and resources to do tabletop exercises and simulations, so that you can have various plans in place to be ready for the different types of cyber intrusions that could occur. I will say that, by and large, the industry has been very forward-thinking in this way. The big challenge, of course, is that businesses evolve, and the threats evolve, so it is always hard to game out everything in advance. There needs to be more of a robust plan in place and better internal coordination compared with what happened at the sanctioned firms.  

Chan: ‘Stop the bleeding’ is a piece of guidance that is commonsense but so important. You must figure out what the parameter and scope of the breach is and how to minimize or stop it as soon as possible. This will require having relationships and contacts in place with the right technical resources, attorneys and forensic researchers who you can rely on. You don’t want to spend the first 24 to 48 hours after a major breach asking for names and referrals.

In the recent sanctions, the SEC also cited a failure of adequate and timely disclosures going to clients. Responding to an event like this is not just about informing the regulators. Firms have a duty to tell those who are potential victims what happened, so they will be alert and take steps to protect themselves. By trying to sugarcoat the extent of a breach, you are actually handicapping the client from taking measures to protect themselves.

 

PLANADVISER: Any other important themes or lessons learned you can share?

Chan: Just having written policies and procedures is not enough. The SEC criticized one of the firms for failing to actually follow existing policies that the SEC otherwise found to be sufficient. Firms should review and operationally confirm that their actual practices are consistent with their written cybersecurity policies. Periodic training and awareness initiatives will also help personnel consistently follow firm written cybersecurity policies.

Mirko: Ensure that statements on cybersecurity incidents are timely but also accurate. The SEC faulted one firm for inadequate compliance in connection with inaccurate statements as to when the firm actually discovered the incidents. Finally, the SEC did not specifically say that its regulations require MFA in all cases, but it made clear its expectations that firms should likely have MFA in place, as it is a reasonable approach to thwart phishing, credential stuffing and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.

September 2, 2021

Is Bond Fund Misclassification a Serious Problem?

PLANADVISER wades into the tricky and not uncontroversial topic of bond fund classification, or 'misclassification,' as it were.
Reported by

Art by Guille Manchado


In November 2019, the National Bureau of Economic Research published a paper in its working paper series: “Don’t Take Their Word for It: The Misclassification of Bond Mutual Funds.”

The authors reported key findings that, if presumed to be true, raise some tricky questions for the mutual fund analysis and reporting industry. Specifically, the authors stated that bond fund managers are prone to misclassifying their holdings, to the extent that these misclassifications have a real and significant impact on investor capital flows—and on the amount of risk bond investors are taking.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

The study compared Morningstar bond fund reports with various funds’ actual portfolio holdings, as the authors studied and identified them. The authors found “significant misclassification of fund riskiness across the universe of all bond funds, with up to 31.4% of all funds misclassified in recent years.”

“Many funds report more investment-grade assets than are actually held in their portfolios to important information intermediaries, making these funds appear significantly less risky,” the report warns.

According to the researchers, the purported goal of these misclassifications was to earn a higher credit-quality rating in the oft-consulted Morningstar Fixed-Income Style Box. As an example, if a given fund held mostly BB-rated bonds, this would tend to anchor it in Morningstar’s low credit-quality tier. On the other hand, if the fund manager reported a BBB-portfolio—while still holding many BB-bonds—the fund could move into the medium credit-quality tier. Assuming the usual positive correlation between risk and return, the misclassified BBB-rated fund could potentially show a higher yield and more upside potential than its correctly classified BB-peers. The authors also maintain that “misclassified funds receive significantly more Morningstar stars than other funds.”

In the retirement planning world, star ratings matter. Plan advisers contacted for this article say they frequently use Morningstar’s analyses, including star ratings, when considering which bond funds to propose for a retirement plan’s lineup. Other research shows participants tend to rely “blindly” on such ratings when evaluating the bond funds available within their plans.  

For its part, the 2019 working paper attracted attention after its publication, and the authors and Morningstar’s research staff held a conference call to discuss the findings. Morningstar subsequently published a series of critiques, which the authors rebutted. Their disagreements remain unresolved, and the paper’s final draft was published in the peer-reviewed August 2021 “Journal of Finance.”

A Closer Look at Self-Reported Data

Bond funds often hold hundreds of securities with a wide range of covenants, maturity dates, yields and other features, even among bonds from the same issuer. Additionally, credit-rating agencies can differ on a security’s creditworthiness, assuming a bond is rated at all.

The key point for the authors is that Morningstar asks each bond fund it tracks to provide a monthly summary report of its holdings. Jeff Westergaard, Morningstar’s fixed-income data director, explains that the reports contain a core set of information related to fixed income investments. These consist of four portfolio average data points, including a duration data point that contributes to the style box and a data point that considers the distribution of the portfolio across seven rating categories (ranging from AAA to below-B).

Westergaard says he is confident in the data’s quality: “We receive literally tens of thousands of these surveys, and we believe that the vast majority of them accurately reflect the credit ratings of the funds that they purport to be.”

The authors propose that self-reporting opens the system to abuse, however. They say Morningstar is “overly reliant” on the provided summary metrics by basing “its credit risk summaries solely on the self-reported data.”

Per the paper: “We provide robust evidence that funds, on average, report significantly safer portfolios than they actually (i.e., verifiably) hold. … Due to this misreporting, funds are then misclassified by Morningstar into safer style boxes than they otherwise should be.”

They add that the impact doesn’t stop with style box misclassification and star ratings. The authors also claim that misclassified funds can charge significantly higher expenses and attract more investor flows.

Hashing It Out

In November 2019, the same month the authors published their report, Morningstar published a brief initial response to the working paper, followed by a more in-depth reply in December 2019. Two key Morningstar assertions from the December publication are:

  • Credit-quality differences from self-reported data almost always stemmed from bonds that Morningstar’s calculation engine didn’t recognize or couldn’t associate with a credit rating. The authors assumed these “not rated” bonds were low quality, but this often isn’t the case; and
  • The authors misunderstood how Morningstar classifies funds by mistaking the fixed-income Morningstar Style Box assignments for Morningstar Category classifications. Morningstar uses the categories to peer-group, rank and assign ratings to funds, while the authors’ sole focus was on the fixed-income style-box assignments.

The “not rated” discussion quickly gets into the weeds of bond credit-rating reporting, but Morningstar provides an illustration for a specific fund showing that unrated fixed-income securities are not always low quality. The authors subsequently replied that an analysis of funds that omitted unrated bonds still supported their finding of significant misclassification.

Morningstar’s reply also discussed the style box versus category analysis. The company classifies bond funds into multiple categories: corporate bond, multisector bond, ultrashort bond, etc. A fund’s risk-adjusted performance in its category, not in its style-box classification, determines its star rating. From Morningstar’s reply: “Once we’ve assigned funds to Morningstar Categories, we can compare and rank them on measures such as past performance. Indeed, to assign star rating to funds, we rank funds’ trailing risk-adjusted returns against those of other funds in their Morningstar Category (the Morningstar Risk-Adjusted Return Rank).”

Jeffrey Ptak, Morningstar’s chief ratings officer, says style boxes and categories use “completely separate” classification arrangements. “If somebody was trying to game the style box, they might succeed with that, but that might have no bearing on their Morningstar category classification because the category classification rules are completely different,” he explains.

Morningstar emphasized the importance of style box assignment versus fund category assignment in its published commentaries and in a conference call with PLANADVISER. According to Morningstar’s December reply, the firm asked the authors for a list of funds that they considered misclassified and what they believed to be those funds’ correct categories at the time of analysis. According to the reply, though, “The authors confirmed on a conference call held November 11, 2019, that they could not furnish such a list, as they’d defined ‘misclassification’ based on funds’ style box, not Morningstar Category, assignments.”

Morningstar’s published conclusion: “We have found no evidence that bond funds have been incorrectly assigned to Morningstar Categories in the widespread way the authors allege.” The authors’ rebuttal: “Our findings still hold when we compare the funds against the Morningstar category (as opposed to risk peer group.)”

An Ongoing Argument?

As of early September, the situation remains a stalemate. Westergaard says Morningstar still doesn’t have a clear idea of what data or methodology the authors used to reach their conclusions. “We did ask them to share this, and they declined to do so,” he adds. The author’s published response: “We are using Morningstar’s data (from the Morningstar Direct product), along with Morningstar’s published formulas for calculating all of the weightings and classifications in the paper.”

Two of the authors responded positively to PLANADVISER expressing interest in discussing their findings, but subsequent messages with several specific questions went unanswered by deadline.

Several advisers called upon to discuss the controversy expressed frustration with the lack of resolution.

Tolen Teigen, chief investment officer  (CIO) of wealth management and workplace benefits consulting firm FinDec, in Stockton, California, says his firm uses both Morningstar and Fi360 research when evaluating bond funds for clients’ plans. Teigen says the lack of specific misclassification examples in the paper are a drawback.

“From what I’m gathering from this research, there do not seem to be any definitive data points to confirm the findings,” he says. “We would need to do further research and analysis to see specific details about how Morningstar analyzes its data and see if the end result truly makes a meaningful difference from what is being reported.”

Other advisers said that while they use Morningstar’s style box and star ratings, the bond fund reports are only one factor they consider in the fund selection process—and they’re not necessarily the dominant factor. Matt Ogden, head of fixed income manager research with CAPTRUST, in Raleigh, North Carolina, says his firm maintains a list of recommended funds in each asset class. The process of vetting managers is both qualitative and quantitative, he explains. The firm reviews several investment manager databases, including Morningstar and other sources, to identify prospective managers.

Due to CAPTRUST’s large size, the firm also can arrange meetings with the investment managers being considered to “understand what they are doing at a more granular level,” he adds.

Like Teigen, Ogden says he wished the authors had provided specific examples where misclassification caused a fund to move between credit quality ratings or fund categories. Furthermore, he adds that he believes Morningstar “put together a fully reasoned response.”

«