By Michael Brice, Founder and President, BW Cyber
I’ve been preaching cybersecurity for years; after all, that’s my job. I’ve spoken at goodness knows how many conferences in the past decade, imploring fund managers to secure their business and avoid wire fraud. But it’s always been seen as I were selling life insurance: you know it’s a good idea, and you can afford it, but it’s not mandatory, and you’ve got plenty of time to do it – in the future…
Except that if you’re an SEC registrant, it’s about to become mandatory. Back in February last year, the SEC issued proposed new cybersecurity rules to enhance investor protection around cybersecurity risk; specifically, investment advisers and fund managers would need to implement written cybersecurity policies which would “address cybersecurity risks that could harm advisory clients and fund investors” as well as require advisers to report “significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.” Not much really happened during the remainder of last year; a few comments here and there from parties with specific interests, but now it seems that the SEC is approaching something of a decision; the Office of Information and Regulatory Affairs suggests that the amendments are at the Final Rule Stage.
With that in mind, the best I can say is that it’s going to be interesting to see what those final rules are. Some of the ones floated even include adding your service providers, and even having a mandatory requirement to report a cyber incident (if somebody can properly determine what a cyber incident is). And to make matters even more complicated, they might require a short timeline for reporting these ‘cyber incidents’ to the regulators – like within 48-72 hours (what a can of worms that one could be). However, I do have a few thoughts on this which will apply whatever the SEC decides.
Let’s start off with the good.
It’s good that there will now be an established floor for the wealth management industry when it comes to cyber. Yes, this will benefit firms like BW Cyber. But whether you buy your solution from us or someone else, it’s good that both you and your clients will be better protected. And while not many managers may view it that way, I’ve seen how unbelievably costly and impactful a cyber incident can be for managers who are not properly secured. So yes, you’ll now have to spend a bit more money. But it’ll cost you a lot less than what it would cost if you experienced a cyber breach. With that said, the real challenge will be to determine just how much you spend and exactly what that spend gets you.
Here’s what’s potentially not so good.
First, many funds will simply do their best to get by with the bare minimum of the SEC’s requirement, and not consider the bigger picture. Sadly, this is often only a piece of paper with writing intended to pass an audit, but providing no actual protections. While this approach may pass muster with an auditor, it will not stop an attacker. As I said above, the regulatory environment sets a floor, but there will always be more that can be done to mitigate cyber risk. For example, there is nothing in the SEC’s proposed rules about dark web monitoring or typosquat domain protections (if you have ever been targeted with wire fraud, you’ll know what a typosquat is), something we think is important.
Second, I’ve heard from clients that adding a cyber risk protection plan into an asset management business has been a tailwind to their capital raising efforts, especially for the smaller and emerging hedge fund managers that often compete with each other for institutional capital after they have secured their initial friends and family money. That competitive advantage is clearly going to be diluted at best; while some managers will maintain a higher level of protection, now every fund has some kind of protection, so from an ODD perspective, investment managers will need to figure something else out to help them come across as being ‘institutional-ready’ to potential new investors.
Third, a new layer of costs makes the hurdle higher for start-up asset managers; it’s now more costly to run a pooled fund or managed account for a client. That might put some off, leading to a further reduction in the number of new products coming to market from new and emerging investment talent. However, with the right vendor, cyber compliance for new and emerging managers really shouldn’t be that expensive, as cyber is really all about scale and complexity.
With all that said, I think the good outweighs the not so good (he’s obviously going to say that, I hear you cry). Yes, the hurdle to launching a new fund is now higher. Yes, it’s going to be harder to use a cybersecurity plan as a capital raising tool. Yes, many funds will only stick to the bare minimum or ‘paper compliance’ plan. But what outweighs that is that literally trillions of dollars of existing investor capital will now get an added layer of protection. It’s what I’ve been preaching for more than a decade, and if you’ve seen my Wire Fraud webinars, you already know that over 44 billion dollars has been lost to cyber wire alone since 2016.