The SEC’s Division of Examinations has released its 2025 priorities, and cybersecurity compliance has never been more critical. With Regulation S-P amendments taking effect December 3, 2025, and heightened scrutiny on AI-enabled threats, financial institutions face a compliance landscape that demands immediate action.

Executive Summary

The Securities and Exchange Commission’s Division of Examinations announced its 2025 examination priorities on October 21, 2024, maintaining cybersecurity as a “perennial examination priority” while introducing significant new compliance requirements. As detailed in our comprehensive 2025 compliance guide, the regulatory landscape has become increasingly complex across multiple jurisdictions. The priorities reveal three critical focus areas that every registered investment adviser, broker-dealer, and covered financial institution must address:

  • Regulation S-P compliance with staggered deadlines (December 3, 2025 for larger entities, June 3, 2026 for smaller)- AI-enabled threat detection and identity theft prevention programs- Emerging technology oversight including automated investment tools and trading algorithms

For the cybersecurity community, this represents the most comprehensive regulatory shift in data protection requirements since Regulation S-P’s original adoption in 2000. Public companies must also remain aware of their Form 8-K cybersecurity disclosure obligations that run parallel to these new requirements.

Understanding the New Regulation S-P Requirements

Who’s Affected and When

The amended Regulation S-P applies to “covered institutions,” including:

  • Investment advisers registered with the SEC (larger entities: $1.5B+ AUM)- Broker-dealers (those with over $500,000 in total capital)- Investment companies- Funding portals- Transfer agents

Critical compliance dates:

  • December 3, 2025: Larger entities must be fully compliant- June 3, 2026: Smaller entities must be fully compliant

Five Mandatory Components

1. Written Incident Response Program

Covered institutions must develop, implement, and maintain written policies and procedures reasonably designed to:

  • Detect unauthorized access to or use of customer information- Respond to security incidents with documented assessment procedures- Recover from incidents while maintaining business continuity- Contain the scope and impact of security events

The incident response program must specifically outline procedures for assessing the nature and scope of security incidents, determining which customer information was compromised, and taking steps to contain and mitigate harm.

2. Customer Notification Requirements

Perhaps the most significant operational change: covered institutions must notify affected individuals within 30 days of determining that unauthorized access to “sensitive customer information” occurred or is reasonably likely to have occurred.

Sensitive customer information includes:

  • Social Security numbers- Driver’s license numbers- Passport numbers- Account numbers combined with security codes or passwords- Biometric records

Notification must include:

  • Description of the incident- Types of information involved- Actions taken to protect the information- Contact information for the institution- Reminder to remain vigilant for identity theft

Limited exceptions:

  • Attorney General determination of national security risk (30-day delay, extendable)- Law enforcement requests for delay

3. Service Provider Oversight

The amendments impose stringent vendor management requirements. Covered institutions must establish written policies ensuring service providers:

  • Implement appropriate safeguards for customer information- Notify the covered institution within 72 hours of becoming aware of any security incident- Maintain documented information security controls

This 72-hour notification requirement represents a critical operational change. Organizations must immediately:

  • Review all existing service provider contracts- Amend agreements to include 72-hour breach notification clauses- Establish vendor risk assessment programs- Implement ongoing monitoring protocols

For contracts not up for renewal, institutions should document requirements through email confirmation or side letters to ensure compliance.

4. Enhanced Recordkeeping

Organizations must maintain written records documenting:

  • Incident response program policies and procedures- Security incident investigations and determinations- Customer notifications sent- Service provider oversight documentation- Compliance with safeguards and disposal rules

All records must be kept for five years, with the first two years in an easily accessible location.

5. Expanded Safeguards and Disposal Rules

The amendments broaden the definition of “customer information” from narrowly defined account data to include:

“Any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form.”

This significantly expands the scope of data subject to protection requirements.

AI-Enabled Malware and Identity Theft Prevention

The Emerging Threat Landscape

The SEC’s 2025 priorities specifically call out artificial intelligence as both an operational tool and a threat vector. Recent threat intelligence reveals alarming trends:

AI-Generated Polymorphic Malware: Advanced malware strains now generate unique versions of themselves every 15 seconds during attacks, with polymorphic tactics present in an estimated 76.4% of all phishing campaigns in 2025.

Deepfake-Enabled Fraud: Financial services firms are experiencing surges in deepfake attempts to bypass KYC (Know Your Customer) checks, enabling anonymous money laundering through falsified credentials. CEO fraud has become increasingly difficult to detect as attackers use deepfake audio or video to impersonate senior leaders in real-time meetings.

Autonomous AI Cyberattacks: Research conducted by Carnegie Mellon University and Anthropic in 2025 demonstrated that large language models can autonomously plan and carry out sophisticated cyberattacks without human intervention, replicating attacks like the 2017 Equifax breach by exploiting vulnerabilities, installing malware, and stealing data.

Case Study: SEC Fines and the SolarWinds Cyber Attack – A Corporate Accountability Crisis

SEC Examination Focus Areas

Division of Examinations staff will review how registrants:

  1. Monitor and control AI-enabled tools used for:
  • Automated investment platforms- Trading algorithms- Digital engagement practices (DEPs)- Fraud prevention and detection- Anti-money laundering compliance- Back-office efficiency2. Protect against AI-driven threats through:
  • Training programs on AI-specific security risks- Controls identifying and mitigating AI-related vulnerabilities- Validation of AI marketing claims- Documentation of AI implementation and oversight3. Prevent identity theft via:
  • Multi-factor authentication systems- Biometric verification controls- Machine identity security programs- Continuous monitoring for synthetic identity fraud

Identity Theft Red Flag Rules

While not new, the SEC is intensifying enforcement of existing identity theft prevention requirements under Regulation S-ID. Covered institutions must:

  • Establish an Identity Theft Prevention Program- Identify relevant red flags for their operations- Detect red flags in daily operations- Respond appropriately to detected red flags- Update the program periodically to reflect new threats

Given the rise of AI-generated synthetic identities and deepfake authentication bypass attempts, traditional red flag indicators may no longer suffice. Organizations should enhance detection capabilities to address:

  • Inconsistencies in biometric data- Anomalous account access patterns- Suspicious device fingerprinting- Behavioral analysis of user interactions- Machine learning-based fraud detection

The SEC’s Cybersecurity Enforcement Track Record

Understanding the SEC’s enforcement history provides critical context for 2025 priorities.

Notable 2024-2025 Actions

SolarWinds Dismissal (December 2025): The SEC voluntarily dismissed with prejudice its high-profile enforcement action against SolarWinds and its CISO, which had alleged the company misled investors by failing to disclose cybersecurity vulnerabilities. While the dismissal signals potential regulatory recalibration under new leadership, it doesn’t indicate diminished cybersecurity focus.

AI Washing Enforcement: The SEC’s Enforcement Division continued pursuing companies overstating AI capabilities. In January 2025, the SEC settled an action against Presto Automation for misleading statements about AI integration.

Cyber and Emerging Technologies Unit (CETU): Launched February 2025, CETU replaced the Crypto Assets and Cyber Unit to combat cyber-related misconduct and protect retail investors, demonstrating continued prioritization of cybersecurity enforcement.

What This Means for 2025

The Division of Examinations historically uses examination findings to inform enforcement referrals. The 2025 priorities signal that examination staff will closely scrutinize:

  • Gaps between incident response plans and actual practices- Delays in customer notification beyond the 30-day requirement- Inadequate service provider oversight- Missing or incomplete documentation- Discrepancies between AI capability claims and actual implementation

Organizations should expect examination staff to request:

  • Complete incident response documentation- Service provider contracts and oversight records- Tabletop exercise results and training records- Breach detection and notification timelines- AI governance frameworks and testing protocols

Practical Compliance Roadmap

For Organizations Facing December 3, 2025 Deadline

Immediate Actions (Complete by January 2025):

  1. Conduct gap analysis against amended Regulation S-P requirements2. Inventory all service providers handling customer information3. Assess current incident response capabilities and documentation4. Review existing cybersecurity insurance coverage for notification costs5. Establish project team with legal, compliance, IT security, and vendor management

Short-Term Implementation (January - August 2025):

  1. Develop or update written incident response plan including:
  • Detection procedures and monitoring systems- Assessment protocols for determining breach scope- Containment and remediation procedures- Notification templates and workflows- Recovery and business continuity measures2. Amend service provider contracts to include:
  • 72-hour breach notification requirements- Right to audit security controls- Specific data protection standards- Indemnification provisions- Termination rights for non-compliance3. Create customer notification infrastructure:
  • Approved notification templates- Multi-channel communication capabilities- Call center scripts and staffing plans- Translation services for multilingual notifications- Website and social media response protocols4. Implement enhanced recordkeeping system:
  • Centralized documentation repository- Five-year retention with two-year easy access- Incident tracking and reporting tools- Service provider oversight logs- Compliance audit trail

Testing and Validation (September - November 2025):

  1. Conduct tabletop exercises testing:
  • Incident detection and assessment- Internal escalation procedures- Service provider notification triggers- Customer notification timelines- Regulatory reporting obligations2. Perform mock examinations:
  • Internal audit of all documentation- Third-party compliance assessment- Vendor security audits- Penetration testing of systems- Social engineering simulations3. Staff training programs:
  • Incident response team certification- All-staff security awareness- Customer service breach notification training- Executive crisis communication preparation- Legal team regulatory update sessions

Final Preparations (November - December 2, 2025):

  1. Complete all documentation updates2. Verify service provider acknowledgments3. Test notification systems end-to-end4. Conduct final executive briefing5. Document compliance readiness for examiners

For Smaller Entities (June 3, 2026 Deadline)

Smaller organizations have additional runway but should not delay foundational work:

2025 Priority Actions:

  1. Learn from larger entities: Monitor initial examination findings and enforcement actions2. Participate in industry working groups: Share best practices and compliance approaches3. Leverage SEC guidance: Utilize the Small Entity Compliance Guide and fact sheets4. Build incrementally: Implement components systematically rather than rushing at deadline5. Consider outsourcing: Evaluate third-party compliance and incident response services

AI Governance Framework

Given the SEC’s specific focus on AI-enabled tools and threats, organizations should establish comprehensive AI governance:

AI Use Inventory

Document all AI/ML systems across:

  • Customer-facing applications (robo-advisors, chatbots, recommendation engines)- Internal operations (fraud detection, AML screening, compliance monitoring)- Trading and investment (algorithmic trading, portfolio optimization, risk analysis)- Marketing and communications (personalization, content generation, targeting)

AI Risk Assessment

For each AI system, evaluate:

  • Data sources: What customer information does the AI access?- Decision authority: What actions can the AI take autonomously?- Transparency: Can decisions be explained and audited?- Bias potential: Could the AI produce discriminatory outcomes?- Security vulnerabilities: Could the AI be poisoned or manipulated?

AI Controls and Monitoring

Implement:

  • Model validation: Independent review of AI algorithms and training data- Ongoing monitoring: Performance metrics and drift detection- Human oversight: Required approval for high-impact AI decisions- Incident response: Specific procedures for AI-related security events- Vendor management: Enhanced due diligence for AI service providers

AI Disclosure Requirements

Ensure marketing claims about AI capabilities are:

  • Accurate and not misleading- Supported by documentation- Consistent with actual implementation- Updated as systems evolve- Clear about limitations

Cybersecurity Examination Expectations

What Examiners Will Review

Based on the 2025 priorities and past examination patterns, expect detailed scrutiny of:

1. Governance and Oversight

  • Board/senior management cybersecurity briefings- Budget allocation for security programs- Cybersecurity expertise on staff or available via consultants- Integration of cybersecurity into enterprise risk management- Regular reporting on security posture and incidents

2. Technical Controls

  • Access controls and privilege management- Encryption of customer information at rest and in transit- Network segmentation and perimeter defenses- Endpoint detection and response capabilities- Vulnerability management and patching procedures- Security information and event management (SIEM)- Data loss prevention technologies

3. Operational Resilience

  • Business continuity and disaster recovery plans- Backup and restoration testing- Redundant systems and failover capabilities- Crisis communication protocols- Third-party recovery service agreements

4. Vendor Risk Management

  • Vendor security questionnaires and assessments- Contract terms requiring security controls- Ongoing monitoring of vendor security posture- Vendor incident notification and reporting- Right-to-audit clauses and actual audit activity

5. Testing and Training

  • Penetration testing frequency and scope- Vulnerability assessments and remediation tracking- Tabletop exercises and lessons learned- Phishing simulation campaigns- Security awareness training completion rates- Specialized training for incident response team

Sample Document Requests

Organizations should prepare to produce:

  • Complete cybersecurity policies and procedures- Incident response plan and all amendments- Service provider contracts and addenda- Records of all security incidents (even if notification not required)- Tabletop exercise scenarios and after-action reports- Security training materials and attendance records- Vendor risk assessments and monitoring reports- Board presentations on cybersecurity- Cybersecurity budget and staffing information- Third-party audit reports and remediation plans- Insurance policies covering cyber incidents- Customer notification templates and actual notifications sent

Industry-Specific Considerations

Investment Advisers

Additional focus areas for RIAs:

  • Portfolio management during market volatility: Cybersecurity of systems used during stress periods- Private fund exposure: Commercial real estate and illiquid asset data protection- Fee calculation systems: Security of billing and fee disclosure systems- Performance reporting: Integrity of client reporting infrastructure- Fiduciary obligations: Cybersecurity as component of duty of care

Broker-Dealers

Enhanced scrutiny on:

  • Regulation Best Interest: Security of recommendation engines and suitability analysis- Options and margin: Protection of high-risk account information- Order routing: Integrity of best execution systems- Customer funds: Segregation and protection of assets- Financial responsibility: Cybersecurity’s impact on net capital requirements

Transfer Agents

New requirements under amended Regulation S-P:

  • Shareholder data: Protection of investor records- Corporate actions: Security of dividend and proxy systems- Lost shareholder programs: Data protection during escheatment- Recordkeeping: Safeguarding of historical transaction records

Emerging Technologies: Beyond AI

While AI receives significant attention, the SEC’s “Emerging Financial Technologies” focus extends to:

Crypto Assets

For firms offering crypto-related services:

  • Wallet security and custody practices- Valuation procedures for digital assets- BSA/AML compliance for crypto transactions- Risk disclosures specific to digital assets- Communication and advertising claims about crypto

Automated Trading Systems

Examination of:

  • Algorithm testing and validation- Kill switches and risk controls- Market manipulation safeguards- Source code security- Change management procedures

Digital Engagement Practices (DEPs)

Scrutiny of:

  • Gamification features and their impacts- Behavioral nudges and disclosures- Differential customer experiences based on data- A/B testing that may influence investment decisions- Privacy implications of tracking and profiling

Lessons from the Regulation S-P Comment Period

The SEC received extensive industry feedback during the rulemaking process that provides insight into compliance challenges:

Key Industry Concerns

1. Service Provider Notification Timeline: Many commenters argued 72 hours was insufficient for complex vendor relationships. The SEC maintained the requirement, emphasizing that it’s 72 hours from when the service provider becomes aware, not from breach occurrence.

2. Customer Notification Scope: Questions arose about what constitutes “reasonably likely” unauthorized access. The SEC indicated this requires case-by-case analysis based on available evidence.

3. Cost and Resource Burden: Smaller institutions cited significant compliance costs. The SEC’s phased implementation schedule partially addresses this concern.

4. Conflict with State Laws: Some states have different breach notification timelines or requirements. Covered institutions must comply with both federal and state requirements. For a detailed breakdown of notification timelines across all 50 states, see our comprehensive state data breach notification compliance guide.

SEC Responses and Clarifications

  • Institutions may use service providers to send notifications on their behalf, but responsibility remains with the covered institution- The 30-day notification period begins when the institution determines (or reasonably should determine) that a breach occurred- Ongoing investigations don’t exempt notification requirements- The incident response program should be proportionate to firm size and risk profile

Common Compliance Pitfalls to Avoid

Based on early implementation experiences:

1. Treating Regulation S-P as Pure IT Project

Mistake: Delegating entirely to IT security team without legal and compliance involvement

Correct Approach: Cross-functional project team with clear accountability for:

  • Legal interpretation of requirements- Compliance program design- IT security implementation- Vendor management coordination- Customer communication strategy

2. Inadequate Service Provider Coverage

Mistake: Only updating contracts with major vendors, overlooking smaller service providers

Correct Approach: Comprehensive inventory of all service providers accessing customer information, including:

  • Cloud infrastructure providers- SaaS application vendors- Professional service firms (auditors, consultants, law firms)- Benefit plan administrators- Marketing service providers

3. Generic Incident Response Plans

Mistake: Copying template policies without customization to actual operations

Correct Approach: Detailed, tested procedures reflecting:

  • Specific systems and data flows- Actual notification workflows- Real contact information and escalation paths- Jurisdiction-specific requirements- Industry-specific scenarios

4. Notification Template Without Operationalization

Mistake: Creating notification letter template without supporting infrastructure

Correct Approach: Complete notification system including:

  • Multi-channel delivery capabilities (email, postal mail, phone)- Translated versions for non-English speakers- Call center scripts and staffing- Website FAQ and dedicated hotline- Identity theft protection service enrollment

5. One-Time Compliance Effort

Mistake: Treating compliance as deadline-driven project rather than ongoing program

Correct Approach: Sustainable compliance program with:

  • Annual policy reviews and updates- Quarterly tabletop exercises- Regular vendor assessments- Continuous monitoring of threat landscape- Metrics and reporting to senior management

Strategic Considerations

Cybersecurity as Competitive Advantage

Forward-thinking firms are positioning strong cybersecurity programs as:

  • Trust differentiator in client acquisition- Operational excellence indicator for due diligence- Enterprise value driver for M&A and valuation- Regulatory relationship builder with examination staff- Talent attraction tool for cybersecurity professionals

Insurance and Risk Transfer

The amended Regulation S-P has significant insurance implications:

Cyber Insurance Review Triggers:

  • Notification cost coverage (30-day timeline may reduce costs vs. longer delays)- Service provider breach coverage (who bears notification costs?)- Regulatory defense and penalties coverage- Business interruption coverage- Privacy liability limits

Questions for Insurers:

  • Does coverage include notification within 30 days?- Are service provider breaches covered as first-party or third-party losses?- What documentation is required for claims?- Are there requirements for specific controls to maintain coverage?- How do deductibles and sub-limits apply to different incident types?

Board and Executive Engagement

Cybersecurity has unambiguously become a board-level issue:

Board Reporting Should Include:

  • Regulation S-P compliance status and timeline- Incident response program effectiveness metrics- Service provider risk landscape and management approach- Customer notification procedures and readiness- AI governance framework and risk assessment- Examination readiness and regulatory updates- Cybersecurity budget and resource allocation

Executive Accountability:

  • CEO: Overall compliance and culture setting- CFO: Budget allocation and insurance coverage- General Counsel: Legal interpretation and regulatory strategy- CCO: Compliance program design and monitoring- CIO/CISO: Technical implementation and security operations- COO: Service provider management and operational resilience

Looking Ahead: 2026 and Beyond

The SEC’s examination priorities often foreshadow future rulemaking. Signals from the 2025 priorities:

Potential Future Developments

Enhanced Cybersecurity Rules: While the SolarWinds dismissal may indicate recalibration, the Division of Examinations continues using examination findings to build the case for enhanced cybersecurity requirements, particularly for investment advisers.

AI-Specific Requirements: The intensive focus on AI in 2025 examinations likely precedes formal AI governance requirements, potentially including:

  • Mandatory AI risk assessments- Required board oversight of AI deployment- Enhanced AI-related disclosures to investors- Specific controls for AI-powered trading systems

Machine Identity Security: As non-human identities increasingly outnumber human ones, expect regulatory attention to:

  • API key and service account management- Certificate and cryptographic key lifecycle- Container and workload identity- Cloud infrastructure permissions

Quantum Computing Threats: While not yet in examination priorities, quantum-resistant cryptography will become relevant as quantum computing advances threaten current encryption methods.

Staying Ahead

Organizations should:

  1. Monitor SEC Communications: Risk alerts, speeches, and examination findings provide early warning2. Participate in Industry Groups: Collaborate on best practices and regulatory interpretation3. Engage with Examiners: View examinations as learning opportunities, not adversarial4. Invest in Capabilities: Build sustainable security programs, not just compliance checkboxes5. Prepare for Evolution: Design flexible frameworks that can adapt to new requirements

Conclusion: Compliance as Security Foundation

The SEC’s 2025 examination priorities reflect a fundamental truth: regulatory compliance and effective cybersecurity are increasingly inseparable. The amended Regulation S-P requirements—incident response programs, timely notifications, vendor oversight, and comprehensive recordkeeping—represent sound security practices that protect both organizations and their customers.

While the December 3, 2025 deadline for larger entities approaches rapidly, organizations should view compliance not as a burden but as a catalyst for security program maturation. The threat landscape featuring AI-enabled malware, sophisticated identity theft, and autonomous cyberattacks demands the exact capabilities that Regulation S-P now mandates.

For cybersecurity professionals, this regulatory moment presents an opportunity: to elevate security from technical function to business imperative, to secure executive support and resources, and to build programs that genuinely protect customer information while meeting regulatory expectations.

With regulatory fines escalating and breach-related class action lawsuits reaching record levels (as detailed in our class action lawsuits in data breaches guide), organizations that approach 2025 examination priorities strategically—with cross-functional teams, adequate resources, and genuine commitment to customer protection—will not only achieve compliance but will strengthen their security posture and competitive position for years to come.

Additional Resources

For Organizations Operating in Europe:

SEC Official Guidance

Industry Resources

  • FINRA Cybersecurity Key Topics Page- SIFMA Cybersecurity Working Group- ICI Cybersecurity Resources for Investment Companies- Investment Adviser Association Compliance Resources- State Attorney General Data Breach Notification Sites - Direct links to all state AG breach reporting portals

This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel and compliance professionals to address their specific regulatory obligations.