Hedge Clauses; Cybersecurity Proposal; Form CRS

Posted on

There have been a few interesting regulatory developments from our friends at the SEC recently, and we thought it best to summarize the more notable of such developments below:


“Hedge Clauses” in Advisory Agreements

A “hedge clause” is a contractual provision that purports to limit one party’s potential liability to the other party. Historically, such provisions have commonly been included as part of advisers’ standard advisory agreements (typically in a section entitled “Limitation of Liability” or something along those lines). For example, you may see language purporting to limit an adviser’s liability to “gross negligence” or “willful disregard,” perhaps followed by a statement that the client is not waiving any rights that the client may have under state and/or federal securities laws.

The SEC’s extreme skepticism with respect to hedge clauses is beginning to come to light. Use of an improper hedge clause was cited as part of a recent settlement involving an investment adviser just last month, and the SEC’s Division of Exams even cited “potentially misleading” hedge clauses that “may not align with [advisers’] fiduciary duty” in two recent Risk Alerts (last month’s Private Fund Risk Alert and the November 2021 Electronic Investment Advice Risk Alert. We’ve additionally heard from other members of our legal and compliance community that SEC Exam staff have been scrutinizing hedge clauses in the course of recent routine adviser exams. Though the roots of the SEC’s skepticism can be traced back to the SEC’s Interpretation Regarding Standard of Conduct for Investment Advisers, more of the iceberg now appears visible above the surface.

While we’re not yet convinced that the above-referenced settlement should be seen as an indication that all hedge clauses will result in an enforcement proceeding in isolation (there were other alleged ADV misstatements, books and records failures, and compliance failures cited in the settlement), when viewed in combination with the recent Risk Alert, Standard of Conduct Interpretation, and general word on the street, reconsideration of such advisory agreement provisions seems prudent.


Cybersecurity Rule Proposal

Earlier this month, the SEC proposed rather sweeping rules that would require advisers to (i) adopt and implement policies and procedures that are reasonably designed to address cybersecurity risks, (ii) report significant cybersecurity incidents to the SEC via new Form ADV-C, (iii) disclose cybersecurity risks and incidents to an adviser’s clients and prospective clients in Form ADV Part 2A, and (iv) maintain certain records related to the proposed cybersecurity risk management rules and the occurrence of cybersecurity incidents.

We don’t typically dedicate significant time to scrutinizing SEC rule proposals because they are just that – proposals without legal effect (yet). However, this proposal stands out primarily due to the potential requirement for all advisers to publicly disclose cybersecurity risks and incidents via Form ADV Part 2A and the mandate to self-report “significant” cybersecurity incidents to the SEC (which one can only assume would be followed by a potential SEC enforcement action).

The clock is ticking for the public to submit comments regarding this proposal. If you feel so inclined, you can submit your comment via the SEC’s Internet Comment Form or via email to rule-comments@sec.gov (with File Number S7-04-22 on the subject line).


A Brief Word on Form CRS

SEC-registered advisers should be aware that the SEC is still scrutinizing the relatively new Form CRS, or “Relationship Summary”. Late last year the SEC Staff issued a Statement Regarding Form CRS Disclosures (mainly describing what content should and should not be included in Form CRS), and just last week the SEC charged 12 additional firms for failing to meet their Form CRS obligations.
As a reminder, Form CRS must be filed via the Investment Adviser Registration Depository (“IARD”), delivered to clients more frequently than Form ADV Part 2A/2B, and must be posted “prominently” on your website. For additional detail, please refer to the Form CRS Instructions and FAQs.