In May 2024, the U.S. Securities and Exchange Commission announced the Regulation S-P amendment. We covered the S-P Amendment update when news of this regulatory change first broke.
Per the SEC’s press release, the amendment applies to broker-dealers, investment companies, registered investment advisers, and transfer agents. Specific requirements fell into three main categories:
- Incident response
- Third-party vendor risk
- Recordkeeping
These changes laid the groundwork for new regulatory expectations outlined in the regulator’s Examination Priorities for 2025.
Firms have approached us to ask what cybersecurity concerns to focus on in light of the SEC documentation. We’re taking a look at the exact specifications of this new publication and what it means for your compliance strategy and cyber program.
What Do the 2025 Exam Priorities Say About Cyber?
The SEC’s Division of Examinations annually publishes its Examination Priorities, highlighting key areas of regulatory focus for the upcoming year that firms need to be aware of.
During 2025, the Division plans to pay close attention to the following risk areas:
Cybersecurity
Cybersecurity risks have become more pronounced over recent years. The growing sophistication of hackers is noticeable, with many firms now facing an increased threat of a data breach.
The SEC reports that operational risks remain elevated in the coming year due to the “proliferation of cybersecurity attacks, firms’ dispersed operations, weather-related events, and geopolitical concerns.”
One major area for concern is the protection of customer records and information. The division plans to pay special attention to each firm’s:
- Cyber policies and procedures.
- Governance practices.
- Data loss prevention measures.
- Access controls.
- Account management protocols.
- Cyber incident response.
Third-party risk is also at the top of regulators’ minds. Cybersecurity risks and resiliency goals associated with third-party service providers will be a critical area for assessment, including evaluations of how firms identify and address these risks.
Regulation S-ID and Regulation S-P
Expect reviews for your compliance with Regulations S-ID and S-P in the coming year.
Examinations will assess identity theft prevention, protections in place for personally identifiable information, and prevention of account intrusions. Special emphasis will be placed on firms with multiple breaches, and all firms will have their risk management training procedures evaluated.
The Division will also monitor firms’ progress on incident response programs for unauthorized data access ahead of the new Regulation S-P Amendment implementation deadlIne of December 2025 or December 2026 for the smaller firms.
AI and crypto
For companies leveraging emerging financial technologies like AI and crypto assets, the Division plans to evaluate the use of these technologies with a focus on accuracy and risk management. Anti-money laundering (AML) programs will also be scrutinized for accuracy and compliance.
For more information on the SEC’s recent seminar and what this means for you, watch the replay of our recent fireside chat with Elizabeth Capo from SEC Compliance LLC: SEC Seminar Recap: Essential Compliance & Cybersecurity Takeaways.
