SEC: Cybersecurity Matters

 

Cybersecurity remains a priority in the SEC’s 2025 exam agenda:

The Division continues to emphasize cybersecurity practices to safeguard customer records and information. Specific focus areas include policies, governance, data loss prevention, access controls, account management, and responses to incidents like ransomware attacks…

Despite the rule not passing, the SEC believes they have authority under Reg S-P, Reg S-ID, the Advisers Act compliance rule, and 206(4) of the 1940 Advisors Act. They argued the rule would provide clarity, implying, “We believe the law already mandates these actions, but we’re formalizing expectations.

Amendments to Reg S-P requiring more cybersecurity actions independently reinforce this view. For RIAs, cybersecurity remains a focus, albeit less consistently. Expect the SEC to prioritize data protection (Reg S-P, S-ID) over operational resiliency (cybersecurity rule).

On exams, expect that the SEC will want to see:

• Policies and procedures related to Reg S-P and Reg S-ID
• How you will continue record-keeping during cyberattacks
• Examination of agreements with service providers on attack responses

Even if the rule isn’t going anywhere that doesn’t mean cybersecurity is going away.

WHAT ABOUT THE RULE?

Paul Atkins / Photo from Patomak Global Partners

As 2025 begins, we’re witnessing a dramatic shift in regulatory priorities. I’m not here to choose sides but to offer predictions.

SEC Chair Gary Gensler, criticized for his active policy shaping, announced his resignation effective January 20th, 2025. Former SEC commissioner Paul Atkins has been nominated as his successor.

The Commission’s composition will shift from three Democrats and two Republicans to the opposite.

What impact will Atkins have on the SEC, especially regarding cybersecurity rules? Although his pro-crypto stance dominates headlines, expect broader changes.

“[Atkins is] likely more capable than anyone to radically transform the SEC agenda and the agency itself,” said former SEC official Tyler Gellasch. According to Anderson P.C., “Atkins is expected to advocate for more pragmatic cybersecurity policies, allowing companies to address breaches effectively without the fear of premature regulatory penalties.

Commissioner Peirce has publicly opposed the cybersecurity rule for RIAs, stating, “The area of cybersecurity demands transparent cooperation between regulators and financial firms towards a shared goal. A cybersecurity rule that acts as a cudgel will not facilitate such cooperation.” It’s doubtful Udya or Atkins will support it more aggressively.

Our conclusion: proposed cybersecurity rule 206(4)-9 will be somewhat enforced but not finalized.