Mar. 29, 2023
March 29, 2023 I cannot support this proposal. There should be minimum thresholds of at least $10 billion in AUM before these rules apply. Small RIA's are already fulfilling their fiduciary duty to clients in safeguarding their information under regulation sp. Further, you could replace this entire rule proposal with a requirement that all RIAs have to have a certain amount of cybersecurity insurance. Insurance companies have a laundry list of requirements in order to get coverage and so the free market is already ensuring the bolstering of cyber defenses. A simple insurance requirement based on amount of assets would solve this in a much simpler fashion than the proposal. As a compliance officer at a small firm, the slew of proposals and requirements that are being added ad infinitim is demoralizing and takes limited resources away from servicing clients which is where the focus should be. It also makes the pool of talent going into compliance smaller and smaller because who in their right mind would want to lead a career in compliance with the never ending new regulations. As others have pointed out, there have been so many hacks at this point in the federal government including the SEC, leaks at the IRS, Solarwinds, etc, trying to force additional rules on RIAs is hilariously hypocritical. The SEC should also change its rule proposal comment regime to allow the tagging of people who are actually impacted by the rule being proposed (meaning will be forced to do the work) vs compliance consultants, etc who will always favor more regulation because it is better for their bottom line.