SEC Cybersecurity Scrutiny for RIAs Increasing

- New SEC rules require RIAs to report significant cybersecurity incidents via a confidential Form ADV-C within 48 hours of reasonable discovery. This form details the incident's nature, scope, recovery actions, and whether data was stolen or altered. - The average cost of a data breach for financial services firms has risen to $6.08 million, which is significantly higher than the global average of $4.88 million across all industries. - Recent amendments to Regulation S-P mandate that RIAs develop a formal incident response program designed to detect, respond to, and recover from unauthorized access to customer information. Firms must also now notify affected individuals within 30 days if their sensitive information was reasonably likely to have been accessed. - The SEC now requires RIAs to amend Form ADV Part 2A to disclose cybersecurity risks and any significant incidents that have occurred within the last two fiscal years directly to current and prospective clients. - Enforcement actions have been taken against firms for deficient cybersecurity policies even when no unauthorized trades occurred, signaling a focus on procedural soundness. For example, in August 2021, the SEC settled actions against eight firms for failures that led to email account takeovers, exposing the personal information of thousands of clients. - Examiners are now requesting specific documentation, including inventories of nonpublic personal information (NPI), vendor contracts, penetration testing results, and access control records. This demonstrates a shift from accepting "best practices" to requiring tangible proof of security controls. - Under the new rules, RIAs must maintain records of all cybersecurity incidents for the past five years, along with documentation of their annual cybersecurity policy reviews. - The SEC's 2025 examination priorities explicitly name cybersecurity and third-party vendor risk as key focus areas, indicating that oversight in this domain will continue to intensify.