This is part of our blog series on the SEC's Proposed Cybersecurity Rule for RIAs, titled "Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies"
You can download our ebook on the rule at https://ria.tips/ebook.
Reading through the S-P amendments adopted by the SEC in May, the comments on whether or not RIAs (and other covered institutions) stood out to me, arguing that smaller firms don't have negotiated power with large companies:
Specifically, two commenters asserted that the written contract requirement would harm covered institutions, which may not have the negotiating power or leverage to demand specific contractual provisions from large third-party service providers, particularly where specific provisions are “inconsistent with the business imperatives” of the service provider and/or in the case of small covered institutions...
The same argument was made in comments in the Proposed Cybersecurity Rule for RIAs (most likely by the same entity, the IAA). While we don't disagree that very few firms have negotiating power with firms such as Amazon, Microsoft, Google, Charles Scwhab and so on, it is also true that these larger companies are the most likely to have written contracts that cover the specifics of both rules already.
For instance, you can find SOC reports for Amazon, Google, and Microsoft with a Google search. Schwab is not as straightforward on their public facing site but they still have a dedicated cybersecurity page.
Microsoft promises customer notification in the event of data breaches within 72 hours, Google promises "prompt" notifications, and while Charles Schwab doesn't have a public-facing notification policy they are a "covered entity," and would have to adhere to the same provisions as RIAs.
We chose those companies as examples, but many or most other large corporations already have similar written policies in place. In large part because it is good business. Many of them must be GPDR, HIPAA, CMMC or NYDFS compliant, frameworks that have significant overlaps with the proposed SEC regulations.
All of this is to say: RIAs may not have negotiating power with big companies in regard to cybersecurity, but they rarely need it. (Most of) those companies already make it easy to be compliant with written contacts.
--
It is only fair to mention that both Amazon and Google opposed the provision requiring a written contract with service providers as proposed, from footnote 230:
See AWS Comment Letter (suggesting that in order to address the practical difficulties of compliance, the Commission should provide covered institutions with a flexible approach to achieving compliance with the service provider provisions that relies on the use of independent certifications, attestations, and adherence to industry standards); see also Google Comment Letter (suggesting that rather than prescribing the specific practices that must be included in the contract, (a) contracts should require service providers to implement and maintain appropriate measures that are consistent with industry standards, and (b) each covered entity should oversee its providers to assess if the provider addresses the relevant practices to an adequate standard—noting this activity can be supported with third party certifications and standards).
However, this language is really asking for clarification that industry standard cybersecurity policies (which they already have) can be considered compliant for covered entities. A position CyberSecureRIA supports.
The comments implicitly suggest that these same providers will provide the necessary compliance regardless, otherwise the SEC position would be of minimal consequence to them.
