SEC Will Examine Cybersecurity Compliance for All Market Participants in 2025

The SEC has unveiled its 2025 examination priorities, highlighting the emerging and continuing risk areas it perceives among wealth firms, investment advisers, broker-dealers, and wealth technology companies.

KEY TAKEAWAYS - As is clear from the below Cybersecurity and Cybersecurity Compliance are two different things.

Cybersecurity Policies and Procedure Accuracy and Enforcement will be Scrutinized Particular attention will be on firms’ policies and procedures, governance practices, data loss prevention, access controls, account management, and responses to cyber-related incidents, including those related to ransomware attacks.

Firms Must Assess And Monitor Third-Party Vendor Cybersecurity Risk The Division will continue to consider cybersecurity risks and resiliency goals associated with third-party products, subcontractors, services, and any information technology (IT) resources used by the business. The focus will include assessments of how registrants identify and address these risks to essential business operations. 

REG S-ID & S-P Must Be Evidenced Examinations will focus on firms’ policies and procedures, internal controls, oversight of third party vendors, and governance practices. Firms’ practices to prevent account intrusions and safeguard customer records and information, including personally identifiable information, especially as it pertains to firms with multiple branch offices.  

Incident Response Plans Must be Built and Tested In preparation for the compliance date of the Commission’s amendments to Regulation S-P,5 the Division will engage with firms during examinations about their progress in preparing to establish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.