Regulatory reminders

Federal regulators are telling advisers and public companies the same thing in 2026: document the process, disclose conflicts, and move fast when a breach is material. (dol.gov) (sec.gov) The Labor Department said on March 18, 2026 that court action wiped out its 2024 Retirement Security Rule and restored the 1975 “five-part test” for deciding when someone giving retirement investment advice is an Employee Retirement Income Security Act fiduciary. The department’s notice said the vacatur also restored the older prohibited-transaction exemptions tied to that test. (dol.gov) Under that five-part test, a person generally becomes a fiduciary only if the advice is given regularly, under a mutual understanding, and as a primary basis for investment decisions, among other elements. The Department of Labor’s retirement-security page says fiduciary status determines when advisers must meet ERISA’s highest duties of loyalty and prudence. (dol.gov 1) (dol.gov 2) The Securities and Exchange Commission has been pressing on a parallel track. Its Division of Examinations said in its 2025 priorities that fiduciary duty, standards of conduct, and cybersecurity would remain core exam targets for advisers and other registrants. (sec.gov) For public companies, the SEC’s cybersecurity rule adopted on July 26, 2023 requires disclosure of a material cyber incident on Form 8-K Item 1.05 within four business days after the company decides the incident is material. The same rule added annual disclosure requirements on cyber risk management, strategy, and governance in Form 10-K. (sec.gov) (federalregister.gov) The SEC’s staff tightened that message on May 21, 2024, warning companies not to use Item 1.05 for incidents that are still being evaluated or that are not material. Corp Fin Director Erik Gerding said companies can use another Form 8-K item, such as Item 8.01, for voluntary disclosure instead. (sec.gov) Enforcement has backed up the disclosure push. In one September 2024 case, the SEC said Closed Loop Capital Management breached its fiduciary duty by failing to disclose conflicts tied to three loan transactions involving fund clients and by failing to obtain proper consent. (sec.gov) Another August 2024 SEC action ordered Cadaret, Grant & Co. to pay $6 million in penalties and disgorgement after the agency said the firm failed to disclose compensation conflicts and failed to seek best execution for certain mutual fund trades. The case centered on the same two themes regulators keep returning to: conflicted recommendations and weak compliance controls. (alston.com) The practical effect is narrower fiduciary coverage under ERISA after the March 2026 Labor Department notice, but no retreat from disclosure and conduct scrutiny at the SEC. For firms that sell advice or disclose cyber incidents, the paper trail now matters as much as the pitch. (dol.gov) (sec.gov)