Regulatory issues that aren't getting the attention they need, “but advisors are moving on them nonetheless because they are smart business decisions,” include cybersecurity, business continuity, succession planning and disaster recovery, argues MarketCounsel CEO Brian Hamburger.
Indeed, while the SEC as well as FINRA have yet to release formal rules regarding cybersecurity, both have released guidance.
In mid-September, the SEC added to its previously issued guidance by releasing a set of questions for advisors and broker-dealers to answer regarding their cybersecurity preparedness, as the agency starts conducting its second round of cyber-related exams this month.
OCIE issued the questions as part of its Risk Alert providing additional information on the areas of focus for the exam division's second round of cybersecurity exams, which the agency says will involve “more testing to assess implementation of firm procedures and controls.”
The SEC's Division of Investment Management released cybersecurity guidance in April to help advisors and funds address their cyber risks.
Brian Rubin, partner with the law firm Sutherland Asbill & Brennan in Washington, says that “all firms should carefully review” the SEC's alert to see how they would answer these questions, even if they think that the SEC won't be examining them in the near future.
The SEC, he says, “isn't interested in playing ‘gotcha games.’ They want firms to take the right steps.”
The alert tells firms to ensure they are properly addressing cybersecurity measures in the following areas: governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.
The SEC is also working on mandatory succession planning rules for advisors, which should be out by year-end.
More Advisor Exams Loom
While boosting oversight of advisors via user fees, third-party examiners or a separate self-regulatory organization was dead politically this year, none of those issue has gone away, says Brian Hamburger, CEO of MarketCounsel, and more advisor exams are likely on the horizon.
All three of those issues “continue to be at the forefront of discussions” on how to increase RIA oversight, Hamburger says.
But he argues that “quantifying” the exam problem must take place first. “There seems to be some baseless assumptions that advisors need to be examined as frequently as broker-dealers. No one has really analyzed what the proper frequency of [advisor] exams is,” he says. “We’re already engaged in dialogue about how best to examine advisors without quantifying the problem. It's kind of dangerous how we have skipped an important part of that dialogue.”
What's more, while the Dodd-Frank Act increased the threshold for SEC advisor registration to $100 million, which is “a nice stepping-off point,” Hamburger says, “regulators will have to take another look at and increase [that threshold] again.”