Small firms won’t get a pass on cyber security rules, Securities and Exchange Commission Investment Adviser/Investment Company Examination Program chief Jane Jarcho said Friday.

As these regulations are developed by the Office of Compliance Inspections and Examinations, Jarcho said, the working hypothesis is large firms are taking cyber security more seriously than small advisory businesses. She added that theory had yet to be proven.

Jarcho said that when cyber security rules come out (she offered no timetable), there won’t be particular, absolute precautions that have to be taken.

Expanding on OCIE’s recent announcement of mini focused and risk-based exams to cover more advisors who have never been examined, Jarcho said the primary target will be firms that have been registered for at least three years, but she said newer advisory operations will be included.

She revealed all the risk exams will include at least one telephone interview by the SEC with the business. She said she wasn’t sure how many of these reviews will contain on-site visits.

Jarcho spoke at the Investment Adviser Association’s compliance conference in suburban Washington, D.C.

The day before at the seminar, IAA Chief Executive Officer David Tittsworth said no big, single issue affecting investors is on the horizon at the SEC other than money market mutual fund rules.