This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"
You can download our ebook on the rule at https://ria.tips/ebook.
It seems self-evident to say that the enforcement of the SEC's Cybersecurity Rule for Advisers will ultimately determine its effectiveness, but we think it matters more here than ever.
First, there are not precedents. For nearly every other existing and upcoming regulation there is some degree of precedent. Perhaps enforcement came under a different rule, or it parallels enough to other rules enough that there are precedents available to auditors and advisers alike. Cybersecurity enforcement does not have any material precedents.
The result will be a wider variance of enforcement and standards than on other rules. Of course, there isn't a shortcut to create precedents, by definition they have to be created as you go along. Therefore, how the SEC creates precedents through enforcement matters greatly.
Second, there is not enough in-house expertise at the SEC to enforce this rule (unless they have some CISOs locked in a closet somewhere). Cybersecurity isn't like most other regulations which deal with financials, integrity, paperwork, fiduciary duty and so on. This means that existing expertise in the SEC will hardly translate --if at all -- to the cybersecurity rule.
Evaluating cybersecurity programs is way outside the SEC's wheelhouse of existing regulations, so they will not have the sufficient expertise to properly audit, at volume, when the rule is finalized. This means that the SEC must tread lightly as the rule gets underway. They need to develop new training programs for auditors. They need to develop standards.
If the SEC is able to thread this needle, then the rule may become very effective, with minimal implications for advisers who already implement effective cybersecurity programs. If the SEC is not able to develop internal competence and standards the rule may be toothless, or overly broad and overburdensome on advisers.
