This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"

You can download our ebook on the rule at https://ria.tips/ebook.

On June 5th, 2024, the Fifth Circuit Court vacated the SEC's new rules on private fund disclosures. The court voted unanimously that the SEC exceeded their authority in the rule.

So, how will this decision affect the un-finalized cybersecurity rule for RIAs? Legally, the rules are under different statutes, apply mostly to different entities* and aim to protect different people, and the harms the SEC is protecting against are different. However, the in spirit they share one thing: the SEC is trying out ways to interpret their statutory authority beyond what it has on face value.

This is par for the course: the laws they operate under are intentionally flexible to give them the flexibility to address new items that were not envisaged when the laws were passed (1940 and 2010 for two of the major laws). But these rules a step further removed.

On cybersecurity specifically, the potential harms are secondary or tertiary to the rule: (1) poor cybersecurity may lead to (2) data loss, which may (3) harm investors or the markets. This isn't a giant leap: data loss does lead to harm to people and poor cybersecurity is often to blame, but it still requires an extra link from say, an anti-fraud regulation which harms an investor directly.

We've speculated that the SEC is slow-walking finalization because, (1) they have more urgent priorities [like defending law suits?] and, (2) expect a court challenge when the rule is finalized and want to button up any outstanding issues. We can add (2b): maybe they want to see how existing court challenges play out to determine if they need to make changes to the rule.

Today's decision certainly suggests that the SEC should be ready for the court challenge to come.

*I read the rule as applying to private funds, which means there is a specific overlap of targeted entities.