This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"
You can download our ebook on the rule at https://ria.tips/ebook.
We've gone over most of the SEC's cybersecurity rule for RIAs in previous posts, this post is specifically a critique of its (lack of) alignment with other frameworks.
Our top suggestion to the SEC would be to allow firms to align themselves to an industry standard, such as CIS or ISO 27001/27002, and be considered compliant. These and other frameworks and certifications already exist, are well established and have a marketplace that can support and provide implementation today.
Second, the rule should explicitly align with NIST 800-171 – a very common cybersecurity framework. We do not mean that the SEC should not have prescriptive elements in the rule. We do mean that aligning requirements to be within the framework would be useful, and guide implementation.
For example, NIST 800-171 has five major categories – each highly descriptive and minimally prescriptive. Identify, Protect, Detect, Respond, Recover. The SEC rule has elements for each of these categories, but explicitly using the framework instead of the SEC’s categories – assessment, user security access, information protection, threat and vulnerability management, cybersecurity incident response and recovery – would bring clarity to the rule, especially for the cybersecurity experts tasked with implementation.
The SEC could also synchronize its efforts with other government agencies. For instance, minimizing the number of cybersecurity-related forms, or using ones that adhere to standards set by CISA or FTC would greatly simplify compliance for advisers. It would have the added benefit of making it easier for SEC to train staff on cybersecurity compliance by reducing the number of forms they must be familiar with.
To the extent that such synchronization is not possible, re-using questions or explicit alignment with other reports would allow companies to meet their reporting requirements faster.
This goes beyond advisers: the IT industry that supports advisers must know how to support the regulatory environment as well. Every time that environment splinters, it lowers the number of providers that are knowledgeable on any given subject, reducing the number of providers available to advisers as a tertiary result.
Of approximately 15,500 RIAs, over 9,000 of them have 10 or fewer non-clerical employees. Nearly every one of these will require third-party expertise to successfully implement a cybersecurity program. Out of 33 million United States businesses, only about 40,000 are IT providers. Those providers now need to have expertise in regulations for finance, banking, medical, accounting, FTC, DOE, DOD and more.
Alignment with industry standards – both cybersecurity standards and reporting standards – will increase the number of providers available to advisers and increase the depth of expertise available to them.
