206(4)-9: An Update On the SEC’s Cybersecurity Regulations From Hell

Our latest webinars have been focusing on the new cybersecurity regulations, 206(4)-9, for over a year now as I have been mainly helping companies to understand and comply with the new regulations.

Thus, I think it’s crucial to keep our audience informed about this topic.

The SEC has postponed the RIAs’ new cybersecurity regulations, Rule 206(4)-9, until October 2023, according to the SEC’s Spring Agenda.

The upcoming regulation is significant because it will shift us from a phase of receiving information on cybersecurity best practices observed during examinations by the commission, to a phase where the SEC will impose strict regulations on what RIAs are required to do to meet cybersecurity regulations.  Heavy fines are being enforced now and more will follow as regulations become stricter.

The implementation of the SEC’s new regulation 206(4)-9 will be an expensive and complex task for many firms. Given the requirement to perform vulnerability scans, threat and risk assessments, network and domain mapping, and employee training, the costs associated with these security measures can quickly add up.  According to the SEC, “Our survey found that firms spent an average of 0.5% of revenue – or $2348 per employee…while spending is considerable, it may non the less be inadequate.” (SEC Proposed Rule 206(4)-9 | Pages 71-72)

And just FYI, we charge clients significantly less to tackle this work for them.

We are not fans of the new regulations and think they bring more problems than they solve.  We covered that topic in our webinar titled “The SECs New Cybersecurity Reporting Rules Are Extremely Dangerous for RIAs” (video on YouTube linked below)

The Investment Adviser Association recently wrote a letter to the SEC criticizing the overall impact of the agenda on RIAs and other market participants. Despite the delayed timeline, some individuals are still concentrating on ensuring that they will meet the requirements of the proposed regulations, according to Karen Barr, the president and CEO of the industry association, as reported by Financial Advisor IQ.

“No one is feeling that comfortable,” said Barr. “Firms are trying to prepare for the onslaught of a suite of new regulations and trying to analyze what they know, what resources they might need and trying to make their best guesses in their budgeting as to what the final proposals might look like and what the timelines might be.”

According to a 2022 report by Cerulli Associates, about 68% of RIAs viewed uncertainty regarding RIA regulation and oversight in the future as a major or moderate challenge, indicating that regulatory pressure continues to be a significant issue for the industry.  I can assure you, here at MTradecraft, just about everyone we talk to is confused.

The SEC’s new regulation 206(4)-9 will be an expensive and complex task for many firms. With heavy fines in place, it is important to make sure you are compliant with the regulations as soon as possible. If all of this sounds daunting or like a lot to handle on your own, don’t worry! Our team at MTradecraft has extensive experience helping companies understand and comply with these cybersecurity regulations. We offer comprehensive solutions that cover everything from vulnerability scans and threat assessments to network mapping and employee training – so let us help take some of the burden off your shoulders. Reach out today to learn more about how we can assist you in meeting regulatory requirements while keeping your data safe and secure.