This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

If the SEC Cybersecurity Rule for RIAs is finalized, what will that mean? Or if it isn't, what does that mean?

At the end of the day, the SEC's requirements for the cybersecurity program are best practices for cybersecurity. Responsible RIAs should already have most of these elements in place, for these RIAs the cybersecurity requirements will not be overburdensome.

For advisers who do not have adequate cybersecurity protection in place there will be a higher initial investment. The initial downside is a cash outflow that they may not be ready for or want to make. In the long term, however, it is likely that they will recoup some of those costs through higher technology efficiencies: it is hard to have a properly secured environment that isn't also efficient. Under-investments today most likely reflect under-investments in technology more widely, which inevitably cost advisers (and other businesses) far more than they know.

The rule also has the potential to boost advisers that already have made the investment in cybersecurity by forcing their peers to up their game, instead of artificially lowering fees or increasing profits by simply refusing to spend on a necessity.

In short, the cybersecurity program portion of the rule is good.

The Form ADV-C is another matter. The SEC believes it is necessary so they can know what is happening in the industry from a cybersecurity perspective and coordinate with other agencies as needed or alert advisers more broadly.

It's our belief that the form could be a handful of questions -- at most -- and the SEC could contact the advisor if needed more information. Because so many attacks are generic and opportunistic we're doubtful that more information on most attacks will be useful to the SEC. At the very least, a 30-day window for any detailed reporting would make sense.

However, the single biggest determinant of the SEC cybersecurity rule will be the enforcement. Of course, this is true for all rules to some degree, but this is different:

  • It is not black and white. Compliance around marketing and record keeping is straightforward, whether a cybersecurity program is “reasonable” is not.
  • There is not precedence. Unlike most other SEC regulations, there is very little precedence to guide firms and auditors. This matters especially with poorly defined terms such as “material,” “significant,” or “substantial.”
  • It requires new expertise. Experts in cybersecurity are expensive, and hard to come by. Evaluating compliance will require both substantial technical knowhow and a knowledge of the rule. It is not likely that many SEC staff have the required experience and knowledge to make accurate assessments of cybersecurity programs, especially without the precedence of prior decisions.

We expect that this last section – expertise – will be the most difficult to overcome. If the enforcement of the rule is effectively delayed, we expect it will come from the required staff training.