A number of FSOC's suggestions relate to expanded data collection. While "information is good," in theory, data collection is expensive and so much of what Congress and the regulators have mandated to date has been of little value. By way of example, nothing ever came of the requirement that firms report information to the regulators on their pre-Dodd-Frank swaps. Form PF for private advisers has been an extended and expensive exercise in the collection of useless data.

The study and Robert's comment above raise a broader and ongoing question: How much of government conduct is motivated to increase turf or to justify its own conduct? That, in turn, raises the question: How can such motivations be countered?

This is one of the most explicit attempts by the regulators to require the formalization of cybersecurity compliance procedures, just as firms would formalize procedures to obtain best execution or to prevent insider trading. Firms that have not done so are thus warned that cyber, and other technology risks, should be fully integrated into their compliance programs.