Oct. 14, 2023
The SEC's prescriptive one-size-fits-all approach to operational resilience could undermine the effectiveness of the regulation. The nuances of each advisory firm's business model, client base, technology infrastructure and risk profile warrant a more flexible, principles-based approach. Mandating every firm designate a CISO, conduct penetration testing and maintain a fixed cybersecurity budget imposes a rigid framework that stifles innovation. Rather than checkboxes, firms need guidance to develop customized resilience plans that address their unique vulnerabilities. Smaller firms that can't afford to comply may simply exit the market, reducing competition. Larger firms may rely too heavily on complex tools without adapting them to business needs. The requirements could fixate firms on compliance at the expense of actually improving resilience. A poor cybersecurity system that checks regulatory boxes is useless against real threats. Prescriptive regulations often lag current threats and technological advances. A resilient system requires agility to adapt, not box-ticking. As threats evolve, so must solutions. Principles-based regulation outlining desired outcomes while allowing firms discretion on implementation would maintain high standards while encouraging innovation. Requirements could scale based on firm size and risk profile. Imposing rigid security structures risks a compliance mindset. Enabling firms to tailor resilience programs to their needs, with regulatory oversight, fosters an ethos of continuous improvement and adaptive security. This benefits advisers and clients alike. The SEC should re-evaluate its approach to balance appropriate oversight with flexibility. Success lies not just in what is required, but how firms are empowered to meet objectives. Resilience is realized through robust frameworks tightly integrated with business needs – not checking boxes. Kraig Hotelling 919.632.8040 www.linkedin.com/in/kraig-hotelling-43748410