In November, the SEC held one of its regular compliance outreach seminars for investment companies and investment advisers. In attendance was Drawbridge’s own Simon Eyre, along with SEC Compliance Solutions’ CEO Elizabeth Cope.
Seminar discussions centered on the SEC examination priorities published at the end of October, showing a clear emphasis on strengthening existing rules.
We’re sharing Simon and Liz’s top takeaways from the SEC seminar to help you prepare for the regulatory road in 2025.
Regulators want to achieve increased operational resilience
The recent Reg S-P amendment has been a major topic of conversation across the investment industry since it was first published earlier this year. Likewise, firms and advisers are paying close attention to the SEC’s 2025 examination priorities as well.
For cybersecurity, these regulatory standards will hone in on your firms policies and procedures.
On the international level, there’s a broad focus on establishing greater operational resilience in the industry. Regulators want to see that your firm is not just capable of handling a breach but is taking the necessary steps to protect yourself and your clients from threats.
Firms need to identify their essential vendors
Your essential vendors are the ones that serve the most critical purposes for your business and stand to have the most significant impact on your firm should a vendor breach occur.
The SEC wants firms to start putting more thought into their vendor hierarchy and how risk is assessed across it. Specifically, firms need to start applying the same cybersecurity standards used internally to their vendors as well, especially those with access to business-critical data.
Keeping track of all the vendors used across your business ecosystem is the key to effectively monitoring your cyber and data risks, and for avoiding instances of Shadow IT.
Pay attention to SEC publications
If you want to keep up with new regulatory expectations, you need to be reading the SEC’s Risk Alerts.
Every few months, the SEC puts out public alerts aimed at reminding firms of their current regulatory obligations. Risk Alerts are a culmination of compliance examinations and their findings, making these alerts an excellent resource to reference regularly.
For cybersecurity, some of the core requirements regulators look for and report on include:
- Patch management
- Multi-factor authentication
- Password policies
- Policy and procedure documentation
- Ongoing cybersecurity training
- Security feature reviews
Make cyber training an ongoing part of your workplace
As far as cybersecurity training goes, your firm needs to hone in on two key factors:
- Training should be specific to the role of the person.
- New employees need to be trained as soon as possible.
Business email compromise (BEC) and social engineering are two of the biggest cyber threats for today’s firms. Focusing on tailored and continuous training delivered early in the employee journey can ensure your risk of human error remains comfortably low.
Need help creating an incident response plan or establishing effective and ongoing training?
