Now, Stein, who’s term expires at the end of the year, is hoping to see Reg SCI expanded to include more fund management structures to the ruling, including broker-dealers, investment advisers, and transfer agents. Furthermore, suggestion also includes placing dedicated IT pros on all governing boards, mandatory meetings between directors and chief information security officers, and clearer, more transparent and narrower parameters to the ruling for a raised minimum threshold of compliancy.
Looking back, we can attest that all oversight and regulation is in response to the operating climate that led up to it. It wasn’t long ago, for example, when business and financial IT went barely beyond the basic anti-virus and firewall breach detections. The SEC threw their hat in the ring in 2014 to mediate, releasing the National Exam Program (NEP) Examination Priorities and highlighting how expectations in cybersecurity were highly vague and poorly defined. The New York Department of Financial Services, at the state level, then took it a bit further—but questions remained. The culture of IT regulation compliance was little more than a box-ticking effort, and many vendors could sell less-than-trustworthy solutions that skidded through loopholes and ambiguities.
In considering this, it’s easy to assume Reg SCI will be expanded in scope, as most regulation eventually is. If it does happen, however, what will asset managers need to know?
- Vendors will be forced to meet the new minimum
With improved transparency, clarity and parameters, loopholes are going to close. Questionable vendors and unsecure products will be harder to sell as the expectation to define their proposals will increase, and for the first time ever, we foresee a situation where sub-par vendors will start to face consequences from government oversight.
At RFA, we champion four pillars of IT compliancy: resiliency of systems, watertight security, reconciliation of data and reporting regular functionality. These are going to be further upheld, even as regular reporting to the SEC and FINRA is already in place, and the culture of box-ticking will dissipate to make room for more thorough ODD practices. Read our recent article on ODD here.
- Managers will be responsible for choosing suitable vendors
Of course, with clearer definitions of what constitutes regulatory compliance, managers will also be expected to properly vet providers and their technology offerings. This doesn’t necessarily mean selecting technology products themselves, but instead working with third party vendors that can properly assist—particularly in assessing for capabilities in the aforementioned four pillars, as well as actively requesting a summary of controls and how product options align with the current regulatory environment.
While this may seem like a significant expense of time and employee resources, it will actually reduce the number of subpar IT infrastructure service providers, raising the bar for the industry overall and ultimately reducing cyber risk on the buyside (which of course benefits end investors). It will also allow for managers to more clearly understand gaps in their infrastructure, and choose solutions better tailored to their needs.
- IT compliance culture will grow
Combining these predictions with Stein’s expectations of leadership involvement in cybersecurity will mean regulatory compliance will be just as much an internal consideration as external, and compliance training at all levels will likely need to grow.
The growth of techfin—technology that improves financial productivity as part of larger offerings—will compound this as well. Well-known tech giants such as Microsoft and Google currently have highly convoluted compliances processes, and as we start to see them move into the financial services arena, they will be forced to adhere to regulations that previously didn’t apply to them.
Today, the regulatory climate has moved on somewhat from the “wild west” situation of five years ago, and it’s now up to third-party vendors such as RFA to know the ins-and-outs of not just the minimum standards for compliance, but what a client truly needs to thrive in the face of their unique challenges and threats.
As digital malice and IT attacks constantly grow in sophistication, both managers and vendors need to not just keep up, but stay ahead of the curve. Firms must be diligent enough to move away from casual once-a-year reporting to a situation where they are able to regularly provide reports to regulators and investors, and maintain systems that are both secure and transparent. What the industry is approaching, hypothetically, is another step towards increased standardization and democratization, as well as improved interpretability of systems. We’re seeing the same thing right now in the crypto space.
Should Reg SCI evolve, everyone will become empowered to move forward and operate at higher capabilities and with stronger defenses. Tech products will be forced to perform and report for their buyers at an optimal rate, and our asset management clients will be far better positioned to understand their IT responsibilities—ultimately working with us as a closer and more powerful strategic partner than ever before.