On their face, the proposals would seem to impose substantial new costs across the industry, especially considering the nearly 1,200 total pages of new guidance and explanation. The SEC concluded otherwise, estimating, for example, that the average internal costs per Covered Entity for the new policy and procedure and annual review requirements of Rule 10 would be only $14,531.54 per Covered Entity and $29.1 million in total (in addition to external costs of $3,472 per Covered Entity and $6.9 million in total external costs). The SEC estimated that a compliance attorney and assistant general counsel would require a total of 31.67 hours—four working days—to comply with the rules. It is difficult to square these estimates with the expansive new requirements; one wonders whether a firm could even read the three proposals and respond to the SEC’s many requests for comment in that amount of time. The accuracy of the cost estimate may provide a basis to challenge the rules if they are adopted.
The proposal also would create new hindsight enforcement risk. The SEC frequently brings enforcement cases involving policy and procedure requirements, such policies and procedures to prevent the misuse of material, nonpublic information under Exchange Act Section 15(g) and Investment Advisers Act Section 204A. Cybersecurity-related enforcement actions have been on the rise in recent years, a trend that is sure to continue if the proposed suite of new requirements is adopted.
Source: SEC proposes sweeping new package of cybersecurity requirements for regulated market participants | Davis Polk