Overview

The U.S. Securities and Exchange Commission (SEC) has established cybersecurity regulations for registered financial organizations, including broker-dealers, investment advisers, investment companies, and others. These regulations aim to protect investors, ensure market integrity, and enhance resilience against cyber threats. Below is a summary of key regulations as of August 7, 2025.

1. Regulation S-P Amendments (Adopted May 15, 2024)

Scope: Applies to broker-dealers, funding portals, investment companies, registered investment advisers, and transfer agents ("covered institutions").

Key Requirements:

• Incident Response Program: Written program to detect, respond to, and recover from unauthorized access to customer information.
• Breach Notification: Notify affected individuals within 30 days if sensitive customer information was accessed or used without authorization, unless no harm is likely.
• Expanded Safeguards and Disposal Rules: Covers nonpublic personal information collected or received from other institutions. Requires documented compliance.
• Recordkeeping: Maintain written records of compliance (except funding portals).
• Annual Privacy Notice Exception: Eliminates annual notices if conditions are met (per 2015 FAST Act).

Compliance Deadlines:

• Larger entities: December 3, 2025
• Smaller entities: June 3, 2026

2. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules (Adopted July 26, 2023)

Scope: Primarily public companies, but FINRA recommends all member firms review for guidance.

Key Requirements:

• Material Incident Disclosure:
  • File Form 8-K (Item 1.05) within 4 business days of determining a material cybersecurity incident.
  • Disclose nature, scope, timing, and material impact.
  • Delays possible if U.S. Attorney General determines national security/public safety risks.
  • Amend Form 8-K for new material information.
• Risk Management and Governance Disclosure:
  • Annual Form 10-K (Regulation S-K Item 106) must describe risk management processes, material risk impacts, board oversight, and management’s role.
  • Foreign private issuers use Form 20-F and Form 6-K.
• Inline XBRL Tagging: Required for disclosures starting December 18, 2024 (incidents) and for annual reports ending on or after December 15, 2024.

Effective Dates:

• Form 8-K/6-K: December 18, 2023
• Form 10-K/20-F: Fiscal years ending on or after December 15, 2023
• Smaller reporting companies: Additional 180 days for Form 8-K

3. Proposed Cybersecurity Risk Management Rules (Withdrawn June 2025)

Proposed in February 2022, these rules were withdrawn in June 2025. They included:

• Comprehensive cybersecurity policies and procedures.
• Regular risk assessments.
• 48-hour reporting of significant incidents via Form ADV-C.
• Enhanced disclosures in Form ADV Part 2A.

Implications: Firms should monitor for potential new proposals, as these reflect prior SEC priorities.

4. Prior Guidance (Still Relevant)

• 2018 Interpretive Release: Emphasizes disclosure controls for material cybersecurity risks and incidents.
• 2011 Staff Guidance: Supplements 2023 disclosure rules.
• 2014 OCIE Risk Alert: Encourages cybersecurity preparedness assessments.

5. Additional Considerations

• Materiality Assessments: Evaluate incidents for financial and qualitative impacts (e.g., reputational harm).
• Third-Party Risks: Conduct due diligence and ensure vendor cybersecurity obligations.
• Enforcement: SEC targets private firms and third parties for non-compliance.
• Recommended Practices:
  • Regular risk assessments and tabletop exercises.
  • Continuous monitoring and threat detection.
  • Employee training on phishing and password management.
  • Coordination across security, finance, risk, and legal teams.

6. SEC’s Broader Approach

The SEC collaborates with CISA and the FBI, leveraging resources like StopRansomware.gov. Recent leadership changes (post-2024) may influence future regulations, but existing rules remain in effect.