LOGIN
Subscribe

Policymakers should tailor regulations for small businesses

small businesses

The SEC's proposed cybersecurity rule is an example of a one-size-fits-all regulation that would significantly affect smaller firms.

Small businesses are the core of the fiduciary investment advisory community, with 88% of advisers having 50 or fewer nonclerical employees, according to the recent Investment Adviser Association Investment Adviser Industry Snapshot.

To preserve the important place of these small businesses in the financial services ecosystem and allow them to thrive, it is imperative for policymakers to acknowledge the unique challenges smaller advisers face. Policymakers must consider the individual and cumulative impacts of policy decisions on these small businesses and their ability to serve the investing public.

The Securities and Exchange Commission is required to analyze the economic impact of proposed regulations that are likely to have a significant impact on a substantial number of small businesses and must consider alternatives to minimize these burdens. As a practical matter, however, the SEC is not required to conduct any meaningful analysis because virtually no SEC-registered advisers fall under the SEC’s definition of small business. With rare exceptions, an adviser must have a minimum of $100 million in assets under management to fall under SEC jurisdiction, but the SEC inexplicably defines a small business as an advisory firm with less than $25 million in AUM.

While some regulatory changes will primarily affect how advisers conduct their advisory activities, all changes require the attention of a firm’s compliance, operations and legal personnel. Complex changes take up a significant amount of a firm’s time and bandwidth, often requiring additional personnel or outsourcing. And most changes will require fixed investments in infrastructure, technology, and systems.

Failure of the SEC to tailor its regulations to the scale of an advisory firm’s business significantly affects smaller advisory firms.

One such one-size-fits-all regulation is the SEC’s proposed cybersecurity rule, which would require firms to report significant incidents to the SEC within 48 hours, continuously provide updates, and make very detailed disclosures to regulators and investors. 

As fiduciaries, advisers are keenly aware of and concerned about the substantial consequences of cybersecurity breaches for their clients and the threat these risks represent to their businesses. Advisers thus take very seriously existing requirements to maintain and implement policies and procedures reasonably designed to address risks associated with their operations. We support the SEC’s requirement to this effect.

The SEC’s proposed requirement to immediately report and continuously update the SEC while a cyber incident is occurring, however, would detract from an adviser’s ability to respond to incidents in real time in the critical first hours and days of assessing and managing the incident. It would also impose significant costs and burdens on advisers without commensurate benefit, particularly for smaller firms. And there will be substantial negative consequences from aspects of the proposal where making sensitive information public could provide a road map to potential wrongdoers.

Existing guidance has already been published by the SEC’s divisions of investment management and examinations to help advisers assess their policies and procedures to ensure that they reasonably address the latest cybersecurity threats and vulnerabilities. 

The SEC should review both the individual and cumulative effects of this proposed rule by undertaking a more comprehensive, accurate and quantifiable assessment of the costs, burdens and economic impacts on advisers and by striking a better balance between these costs and the rule’s potential benefits. In this regard, the SEC should exclude smaller advisers from those elements of the rule where any benefit will be marginal but where the proposal severely underestimates the costs and burdens on smaller firms. The IAA stands ready to work with the SEC to better balance our shared interests in combatting cyberthreats while allowing the small business community to thrive.

[More: Legislation affecting advisers takes the long and winding road through Congress]

Karen Barr is president and CEO of the Investment Adviser Association.

Adviser keys to post-pandemic success: Fighting inflation, personal touch

Related Topics:

Learn more about reprints and licensing for this article.

Recent Articles by Author

Implications of the SEC rulemaking agenda

Implications of the SEC rulemaking agenda

The more than a dozen major new rules the agency has proposed or finalized will create significant disruption for investment advisors, with substantial long-term implications.

Policymakers should tailor regulations for small businesses

Policymakers should tailor regulations for small businesses

The SEC's proposed cybersecurity rule is an example of a one-size-fits-all regulation that would significantly affect smaller firms.

All clients deserve advice that is in their best interest

All clients deserve advice that is in their best interest

Providing investment advice as a fiduciary goes beyond disclosure of conflicts of interest.

Latest news

Younger Americans’ wealth growth has beaten historic norms  

Younger Americans’ wealth growth has beaten historic norms  

Despite the cost of living, Americans remain on top of their mortgages

Treasury options traders keep Fed hike on table

Deutsche buybacks at risk amid $1.4B legal action fund

New bid for song catalog fund puts Blackstone at #1

FX traders wonder when Tokyo will support the yen

  • RIAs
  • April 28, 2024

Are RIAs failing their clients?

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print

Subscribe

Get unlimited access to InvestmentNews

Subscribe for just
$19.99 per month.

Subscribe