SEC’s 2025 Cybersecurity and Data Protection Priorities
As cyber threats continue to escalate in scale and sophistication, the U.S. Securities and Exchange Commission (SEC) has made cybersecurity and data protection a central focus of its 2025 Examination Priorities. Released in October 2024, this guidance signals the SEC’s intent to closely scrutinize how regulated entities safeguard sensitive information, detect vulnerabilities, and respond to incidents. From investment advisers to broker-dealers, firms across the financial sector are being urged to reassess their risk management frameworks and align with the Commission’s evolving expectations.
This blog explores the key cybersecurity themes outlined in the SEC’s 2025 agenda, the implications for compliance teams, and practical steps organizations can take to strengthen their defenses ahead of upcoming examinations.
Continued Focus on Cybersecurity as a Perennial Priority
The SEC’s Division of Examinations has reaffirmed cybersecurity as a perennial priority, emphasizing the need for registrants, including investment advisers, broker-dealers, and alternative trading systems, to maintain robust information security and operational resilience. EXAMS will focus on firms’ governance practices, data loss prevention, access controls, account management, incident response protocols (especially for ransomware attacks), and third-party risk management. Safeguards protecting sensitive customer data and confidential trading information remain a key concern.
Compliance with Regulations S-ID and S-P
The SEC will maintain its review of firms’ adherence to Regulations S-ID and S-P, concentrating on their policies, procedures, internal controls, governance structures, and management of third-party vendors. EXAMS will pay particular attention to measures protecting customer information, especially for firms offering electronic investment services. Firms are expected to implement effective controls to prevent identity theft, account takeovers, and fraudulent activity. With new amendments to Reg S-P taking effect in late 2025 and mid-2026, the SEC is also engaging firms in their preparedness to implement incident response programs for unauthorized access to customer data.
Integration with Emerging Financial Technologies
The SEC’s Division of Examinations is closely monitoring registrants’ use of emerging technologies—including artificial intelligence, trading algorithms, and digital investment platforms. Examinations will assess whether firms are using these tools in compliance with their regulatory obligations and whether representations about AI are accurate and properly supervised. Firms are expected to evaluate the cybersecurity risks associated with AI and digital assets, maintain strong controls, and ensure that technology use does not compromise investor interests or operational integrity.
Assessing Regulation Systems Compliance and Integrity
The SEC will assess whether entities subject to Regulation SCI have effective policies and procedures to ensure system capacity, integrity, resiliency, and security to support continuous operations and maintain fair markets. Examinations will focus on business continuity planning, incident response capabilities (including third-party connections), and cybersecurity controls. More broadly, the SEC will evaluate registrants’ operational resiliency—specifically their preparedness for cyber incidents, effectiveness of vendor oversight, and ability to maintain service continuity amid evolving threats.
Practical Implications for Firms
To align with the SEC’s 2025 cybersecurity examination priorities, firms should:
- Develop and maintain comprehensive cybersecurity policies covering data loss prevention, access controls, and incident response.
- Implement rigorous oversight of third-party vendors, including due diligence, risk assessments, and continuous monitoring.
- Establish controls to detect and manage unauthorized IT resources and shadow IT.
- Ensure compliance with Regulations S-ID and S-P, documenting policies and controls to protect client information.
- Prepare for focused examinations on operational resilience, including business continuity and recovery plans.
- Evaluate the cybersecurity implications of emerging technologies such as AI and integrate appropriate governance and controls.
The SEC’s 2025 Examination Priorities underscore that cybersecurity and data protection are no longer optional safeguards—they are essential components of regulatory compliance and investor trust. To remain resilient and compliant, firms must take a proactive stance in strengthening their cybersecurity frameworks, enhancing vendor oversight, and addressing the risks posed by emerging technologies. By doing so, they not only align with regulatory expectations but also reinforce the integrity and stability of the broader financial system.