October 25, 2024
What happened?
On October 21, 2024, the SEC’s Division of Examinations (“EXAMS”) published its 2025 Examination Priorities, which includes annual priorities viewed by EXAMS as presenting heightened risks to investors and markets overall. Once again, Cybersecurity remains a key and distinct focus area, and additional concerns related to cybersecurity appear throughout the examination priorities list. In 2025, cybersecurity will continue to take on additional importance to examiners due to the volume of cyber-attacks, weather-related events, and geopolitical concerns. Vendor due diligence programs, incident response plans, and cybersecurity management will all be key aspects of SEC examinations in 2025. Firms should also be evaluating their compliance with Regulation S-ID and Amended Regulation S-P.
Cybersecurity
In its list of priorities, EXAMS highlighted the following items of particular attention with regards to cybersecurity:
EXAMS also noted that it will pay close attention to the management of cybersecurity risks and resilience. This focus will include assessments of the manner in which registrants identify and assess these cybersecurity and vendor management risks, particularly those associated with third-party products, sub-contractors, service providers, and any information technology (IT) resources used by the business without the IT department’s approval.
Regulation S-ID and Regulation S-P
With respect to Regulation S-ID and Amended Regulation S-P, EXAMS will focus on firms’:
EXAMS said that in preparation for the compliance date with Regulation S-P, they will evaluate firms’ progress in preparing to establish incident response programs “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” (Larger entities, defined as RIAs with $1.5 billion or greater in AUM, must comply with Regulation S-P amendments by December 2025; smaller entities must comply with Regulation S-P amendments by June 2026).
Vendor Management
As part of its focus on cybersecurity and operational resilience, EXAMS will also place emphasis on firms’ management of their vendors, service providers, and other third parties. Identification and assessment of operational and cybersecurity risks related to third parties, including having relevant policies and procedures and a vendor management program, will be points of emphasis for examinations in 2025. Vendor management will also play a role in EXAMS’ focus on compliance with Regulation S-ID and Regulation S-P and the establishment of incident response programs.
What does this mean for me?
Next Steps:
In its 2025 priorities, EXAMS has made it clear that a strong cybersecurity program is vital for firms, regardless of when the proposed cybersecurity risk management rule is finalized. Firms should start evaluating their cybersecurity programs and make sure they are prepared for compliance and SEC examinations. In particular, the amendments to Regulation S-P could take time to implement. If you do not already have a vendor management program in place, consider starting there.
If you have not done so already, you may also want to review Fairview’s initial flash report on this topic, SEC Adopts Rule Amendments to Regulation S-P, which includes an overview of the amendments.
If you have questions or could use assistance updating your compliance program or complying with Amended Regulation S-P, let us know. Our team of regulatory experts is available to walk you through these changes and to answer any questions you may have.
