Skip to main content

IAA Member Survey Indicates SEC Severely Underestimates Cyber Proposal Costs

January 4, 2023

Input from IAA members indicates that the SEC has severely underestimated the quantifiable costs associated with its proposed cybersecurity rules for investment advisers.

The SEC’s proposal, issued in February 2022, would require investment advisers to:

  • adopt and implement written cybersecurity policies and procedures with specified elements,
  • report significant adviser cybersecurity incidents to the SEC within 48 hours after having a reasonable basis to conclude that a significant adviser cybersecurity incident has occurred or is occurring with respect to the firm or any of its covered clients,
  • disclose significant adviser cybersecurity risks and incidents to clients, and
  • maintain related books and records.

The IAA submitted extensive comments on the SEC’s proposal in April 2022 and recently submitted the survey results to the SEC in a supplemental letter.

In response to questions raised by SEC staff during meetings with the IAA, we surveyed a wide range of members to better determine the proposal’s likely impact. The survey consisted of 10 questions and 34 members responded, representing a range of firm sizes as measured both by RAUM and number of employees. The survey report provides responses by both RAUM and employee count.

The survey demonstrates that:

  • The percentage of revenue that firms currently spend on cybersecurity is greater than the SEC assumes.
  • Advisers rely heavily on third-party service providers to provide cybersecurity services. In our supplemental comments, we ask the SEC to acknowledge and take into consideration the need for third-party expertise in this area and the associated costs.
  • Estimated initial and ongoing costs associated with implementing the proposal are much higher per adviser than the SEC’s cost estimates.

The survey results support the IAA’s view that there is no “one-size-fits-all” approach to cybersecurity among investment advisers and reinforces our recommendation that the SEC continue to allow investment advisers to tailor their cybersecurity programs to their business models. The IAA has asked the SEC to update its cost-benefit analysis to incorporate this data and modify the proposal to reflect these more significant costs imposed on advisers.

The survey results can help members benchmark their cybersecurity-related costs.

You are now leaving Investment Adviser Association

The IAA provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by the IAA, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL