IAA Member Survey Indicates SEC Severely Underestimates Cyber Proposal Costs
January 4, 2023
Input from IAA members indicates that the SEC has severely underestimated the quantifiable costs associated with its proposed cybersecurity rules for investment advisers.
The SEC’s proposal, issued in February 2022, would require investment advisers to:
- adopt and implement written cybersecurity policies and procedures with specified elements,
- report significant adviser cybersecurity incidents to the SEC within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident has occurred or is occurring with respect to the firm or any of its covered clients,
- disclose significant adviser cybersecurity risks and incidents to clients, and
- maintain related books and records.
In response to questions raised by SEC staff during meetings with the IAA, we surveyed a wide range of members to better determine the proposal’s likely impact. The survey consisted of 10 questions and 34 members responded, representing a range of firm sizes as measured both by RAUM and number of employees. The survey report provides responses by both RAUM and employee count.
The survey demonstrates that:
- The percentage of revenue that firms currently spend on cybersecurity is greater than the SEC assumes.
- Advisers rely heavily on third-party service providers to provide cybersecurity services. In our supplemental comments, we ask the SEC to acknowledge and take into consideration the need for third-party expertise in this area and the associated costs.
- Estimated initial and ongoing costs associated with implementing the proposal are much higher per adviser than the SEC’s cost estimates.
The survey results support the IAA’s view that there is no “one-size-fits-all” approach to cybersecurity among investment advisers and reinforces our recommendation that the SEC continue to allow investment advisers to tailor their cybersecurity programs to their business models. The IAA has asked the SEC to update its cost-benefit analysis to incorporate this data and modify the proposal to reflect these more significant costs imposed on advisers.
The survey results can help members benchmark their cybersecurity-related costs.