The U.S. Securities and Exchange Commission (SEC) has placed cybersecurity and operational resilience at the forefront of its 2025 examination priorities, emphasizing the increasing risks of cyber threats, data breaches, and third-party vulnerabilities in the financial sector. As firms integrate more digital technologies and rely on third-party service providers, the SEC aims to ensure that cyber risk management frameworks are robust, effective, and compliant with regulatory expectations.
Key Cybersecurity Focus Areas for 2025
1. Cyber Risk Management and Governance
The SEC will assess whether firms have established strong cybersecurity governance structures, ensuring that senior management and boards are actively involved in cyber risk oversight. This includes:
- Clear policies and procedures for identifying and mitigating cyber risks.
- Regular risk assessments to evaluate vulnerabilities in IT environments.
- Defined escalation and response mechanisms in the event of a cyber incident.
2. Incident Response and Recovery Plans
With the increasing frequency and sophistication of cyberattacks, firms must demonstrate effective incident response and recovery capabilities. Examiners will review:
- Incident detection and response protocols, including reporting mechanisms.
- Preparedness for ransomware attacks, business email compromise (BEC), and data exfiltration incidents.
- Post-incident analysis and remediation strategies to prevent future breaches.
The SEC is particularly interested in how firms handle material cybersecurity incidents and whether they provide timely disclosures to investors and regulators.
3. Data Protection and Access Controls
Protecting sensitive financial and investor data remains a top regulatory priority. The SEC will evaluate:
- Identity and access management (IAM) controls to prevent unauthorized access.
- Multi-factor authentication (MFA) adoption across critical systems.
- Encryption and data loss prevention (DLP) measures to safeguard sensitive information.
Firms that fail to implement adequate data security controls could face regulatory enforcement actions.
4. Third-Party and Supply Chain Risk Management
The SEC recognizes that many financial firms rely on third-party service providers, introducing additional cyber risks. Examinations will focus on:
- Vendor due diligence and risk assessments before onboarding third parties.
- Contractual cybersecurity requirements and enforcement of security policies.
- Monitoring of service providers for compliance with cybersecurity standards.
Given the SEC’s heightened scrutiny, firms must document their third-party risk management practices and ensure that outsourced services do not create regulatory blind spots.
5. Compliance with SEC’s Cybersecurity Rules
The SEC is also examining how firms are implementing recent regulatory changes, including:
- Updated Regulation S-P, which strengthens customer data protection requirements.
- Proposed Cybersecurity Risk Management Rules for investment advisers and broker-dealers.
- Enhanced disclosure requirements for cyber incidents and risk management practices.
Firms should review and update cybersecurity policies to align with evolving SEC requirements and industry best practices.
Recent Enforcement Actions Reflecting These Priorities
The SEC’s enforcement actions reinforce its commitment to cybersecurity oversight and regulatory compliance. Notable cases include:
- Misleading Cybersecurity Disclosures: In October 2024, the SEC charged four companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—for making materially misleading disclosures regarding cybersecurity risks and incidents, particularly related to the 2020 SolarWinds compromise. These companies agreed to pay civil penalties ranging from $990,000 to $4 million.
- “AI Washing” Enforcement: In March 2024, the SEC settled charges against two investment advisers, Delphia (USA) Inc. and Global Predictions Inc., for making false and misleading statements about their purported use of artificial intelligence. The firms agreed to pay a combined $400,000 in civil penalties.
- Cybersecurity Incident Handling: In December 2024, the SEC settled charges with the Industrial and Commercial Bank of China Financial Services (ICBCFS) related to a November 2023 ransomware attack. The SEC noted that the attack was exacerbated by insufficient preparation for severe cybersecurity threats. Due to the firm’s cooperation and remedial actions, no civil fine was imposed.
Preparing for SEC Examinations in 2025
To mitigate regulatory risks and enhance cyber resilience, financial firms should:
- Conduct cybersecurity risk assessments aligned with SEC priorities.
- Test incident response and business continuity plans through tabletop exercises.
- Strengthen third-party oversight, ensuring vendors comply with cybersecurity requirements.
- Implement continuous monitoring and threat detection to identify vulnerabilities in real time.
The SEC’s 2025 examination priorities highlight the critical role of cybersecurity in financial stability and investor protection. Firms that proactively enhance their cyber defenses will not only ensure regulatory compliance but also reduce the risk of cyber incidents that could impact market integrity and investor confidence.
