This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"
You can download our ebook on the rule at https://ria.tips/ebook.
The Million Dollar Question: Will the SEC ever finalize this rule? The rule finalization timeline has come and gone three different times now, and as of May 9th, 2024 is not referenced newly in the Federal Register.
We're not mind readers, but here are thoughts on the tea leaves.
- We expect it will be finalized in some fashion. First, because the commission finalized a similar rule for public companies. Second, at the IAA compliance conference in March of 2024 an SEC staff member sat in on a cybersecurity panel. While she made it clear she didn't speak for the commission (as she must say) she spoke of the rule as if it were alive and well.
- We think the SEC wants to make sure regulations are not overturned in a potential Trump presidency. This seems to be a Biden-administration goal, and that may delay other proceedings because of lack of resources.
- We guess the SEC wants to make sure this rule is court-proof. It will likely be challenged, and we expect that the SEC wants to be ready for that. We suspect the SEC wants to ensure that if certain provisions are struck down the rest of the rule will stand. Whether that will take another a third comment period and material changes, we're not sure.
- We guess that the SEC has other priorities. Politically other topics are more important, such as AI, cryptocurrency, anti-money laundering, DEI and ESG.
These, of course, are guesses. For now, we will continue to hit refresh on the SEC's finalized rules page every day.
