The Silence Is Deafening

It’s September as we write this and the SEC hasn’t announced anything notable on the Cybersecurity Rule for RIAs – will they? 

At this point we think one of two things is most likely, (1) the rule is finalized on a less strict basis, with lighter deadlines and few prescriptive measures, or (2) it is effectively shelved until after the election. 

The SEC has also had mixed success in the courts. The Private Fund Adviser Rules were fully vacated in July, a major loss that used 211(h) as a legal basis. Other losses include the Proxy Advisory Rule, the Stock Buyback Rule and at least three crypto-related losses. 

The amendments to Reg S-P loosely followed the less strict approach, where the SEC gave ground on certain matters, such as dropping contractual requirements with service providers, but didn’t give much ground on others (covered entities still need to ensure that their providers meet specific expectations, it just can be less formal than a contract.) 

If the commission follows this approach, we expect to see contractual obligations walked back and the new ADV C form eliminated. As Charu Chandrasekhar, a partner at Debevoise and Plimpton and former SEC staff member observed in an IAA workshop in September:

“Given the overall overlap with 211(h) as the statutory basis for the private funds rule that was completely struck down, and the cybersecurity advisors proposal, I think the commission is going to try to be a little more conservative and less ambitious than it was originally. The piece that’s easiest to get through is probably 206(4)-9 [adopting cybersecurity policies and procedures], because notwithstanding the statutory basis overlap, it is most adjacent to 206(4)-7, it’s a suite of policies and procedures that a lot of advisors already have, so I don’t think that it’s as much of a bridge too far as, say, this entirely new ADVC notification requirement.”

Missing Rules

The Other Side: The last word on the IAA panel about cybersecurity was, “We have no idea when it’s going to be finalized, if in this administration or the next.” 

But: The SEC also has officially kept it on their regulatory agenda, most recently posting in a September Federal Register publication that remains in a state likely to be finalized in the next 6 months. 

All told, the increased judicial complexity combined with the politics make it unlikely that the Cybersecurity Rule will be finalized, at least in its current form.