2024 Could See the SEC’s Cybersecurity Rules for RIAs and Funds Finalized. When Will the Government Actually Start Helping As Opposed to Just Fining?

IT Policy

By Michael Brice

Almost two years ago the Securities and Exchange Commission (SEC) announced its plans for enhanced cybersecurity regulation of registered investment advisers (RIAs) and funds. Since that time the SEC has released similar rules for publicly traded companies (I’ve already written about this here). Yet the new rules are still not final. While there’s talk that these regulations might become effective this coming April, your guess is as good as mine if this timeline will stick. With that said, when these rules do become final, I suspect the SEC will be quite swift in making public examples of RIAs who fall victim to cyber criminals once these regulations are implemented (again, please refer my prior article per this issue here). In a worst-case scenario, I envision this to be a classic double-whammy in which ‘the beatings will continue until morale improves’.

OK, maybe I’m being (very) cynical. After all, I’m a cyber vendor who stands to gain by any/all additional cyber regulatory compliance, so why bite the hand that feeds me, right? Well – truth be told – I’m angry. If regulations are the ‘stick’, we need some ‘carrots’. That’s right, positive reinforcement. I’d like to see our government provide some parity with these newly emerging cyber regulations in which it also provides some support to cyber victims to help them recover from a cyber-attack.

Is that such a novel concept? I’m not talking about the creation or expansion of a cyber government organization – we already have CISA (Cybersecurity & Infrastructure Security Agency). I’m referring to the number one cyber financial threat affecting RIAs, private equity firms and PE portfolio companies nationwide: wire fraud. And guess what, it’s probably the number one cyber financial fraud threat affecting Jane and Joe America.

I lead wire fraud incident response services for BW Cyber, and can say without a doubt, that the playing field is significantly skewed in favor of the attackers. It doesn’t need to be that way.

If you’ve not been the victim of a wire fraud – be thankful. Wire fraud happens much, much, much, more than most people realize. Why? Because it’s sickening, embarrassing, humiliating, traumatic, and if you’re an RIA, it’s a big fat red flag. So, nobody talks about it publicly. Well, I do talk about it; so let me explain briefly what a wire fraud looks like and what you can expect.

  • You find out you were tricked into sending a wire (usually in the hundreds of thousands of dollars but often in the millions of dollars). The realization is sickening.  
  • You don’t know who to call or what to do, but most people start with their bank. Good luck.
  • Banks are good people, but they are just people. So, you may be lucky and have a bank fraud unit that helps you to get your money back. Or you might not; there’s no legal requirement for them to help you because guess what – it wasn’t their fault, and they are damn well going to make sure you know that.
  • So maybe you call the Sherriff, or Secret Service, or Treasury, or the FBI. Spoiler alert, the proper immediate step to take once you realize you are a victim of wire fraud (after you notify your bank) is to submit a fraud report to the FBI via the http://www.icg3.gov/ website. If you’re reading this and you knew that – you are in the minority. Most of my clients are not aware of this extremely critical step that must be taken to get the FBI to work with your bank (and the other banks inevitably involved as your money flows out of the country) to implement their “Financial Fraud Kill Chain”. Yes, that’s a real thing and you want it on your side.
  • Now guess what – nobody updates you on the status of your loss. Nobody. This goes on for months. You just hope that the bank is doing what they are supposed to do and that your IC3 report is being investigated by the FBI.
    • I’m a huge fan of the FBI – I work with them almost every week in support of our clients, and the Special Agents in the Cyber Division are fantastic. They want you to get your money back as much as you do. But work the math on how many complaints they receive per year divided by the total number of agents and you then realize why the playing field is tilted against you (and them) if you’re a wire fraud victim.
  • Now for the kicker. There is not a single government agency that is federally funded or mandated to report to Congress with the primary goal to defend and protect Americans against wire fraud. Put different – there’s no Wire Fraud Help Desk. It doesn’t exist.
  • As best I can tell, the FBI does what they do because they care – not because Congress has made it a regulatory requirement. And you know who else cares –Treasury, the Secret Service, and your local Sherriff. And yes, I suspect even your bank…
  • Yes, I do believe they all care. But without an agency with a federally funded legal mandate with a stated mission to be the ultimate agency to oversee and respond to wire fraud, to answer your calls, to provide you a wire fraud ticket, to ensure your bank is actively working to get your money back, to keep you updated on your fraud case, and to ultimately responsible to report to Congress – you’re left hoping that somebody at the bank or at the FBI or somewhere else will elevate your wire fraud case above the other 3.2 million (and growing) cases that are overwhelming our government. Until we do this, wire fraud will continue to proliferate.  
  • So how does this end if you are the victim of a wire fraud? Sadly, unless you identify the fraud within ~3 business days, the odds are not in your favor to get your money back – diminishing every day that goes by after day three. As I said initially: it’s sickening, it’s embarrassing, it’s humiliating, it’s traumatic, and if you’re an RIA, based on the new regulations, it’s possibly going to result in an SEC regulatory enforcement action.

Any wonder now why I’m mad as hell and writing an article that sounds like I’m biting the SEC hand that feeds me? It’s because ultimately, I’m a little guy with only a little bit of voice shouting at the top of my lungs to our government to “Get us some help to get our money back!” And while I’m cursing the gods at the top of my lungs, the organization that has the voice to make this happen continues to focus on hitting our clients with the ’stick’ versus offering them a ‘carrot’. In this instance, the carrot is a push for Congress to have a legal mandate for a single federal organization to own wire fraud for the US government, and be responsible to help our businesses, organizations, and citizens when they are wire fraud victims.

Perhaps this note should go to your local Congressman/Congresswoman…