Call Us
Contact Us
Request A Demo
Contact Us
Request A Demo
Home > Resources > Insights > SEC Cybersecurity

SEC Cybersecurity

investment advisors

Share

Share on LinkedIn
Share on X
Copy Link

Where do you stand, and what’s coming for investment advisors?

What you should know

For firms with assets over $1.5bn, the changes to Regulation S-P will take effect on December 3rd, 2025. In combination with the 2025 SEC Examination Priorities, there is work to be done to meet both the rule and guidance from the SEC before the end of 2025.

Why you should care

Many of the requirements of Regulation S-P will require policy amendments and contractual updates with those service providers processing customer information on behalf of the covered institutions. The work is time consuming, and managers must not wait. The examination priorities are just an absolute baseline of expectations with regards to cyber. Managers do not want to be merely acceptable. They need to be ahead of the pack.

The bigger picture

Regulation S-P introduces new oversight of service provider requirements, deadlines for disclosure to affected individuals, and periodic reviews of their incident response plans, specifically tailored to Reg S-P. Combined with the SEC examination priorities of the firms’ policies and procedures, governance practices, data loss prevention, access controls, account management, and responses to cyber-related incidents, including those related to ransomware attacks; firms continue to have significant work to do.

Regulation S-P

Drawbridge Service

Rule Compliance

Incident Response Plan
  • Reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.

Written Information Security Policy
  • Policies and procedures are reasonably designed to protect customer records and information.

Cyber Risk Intelligence
  • Identification and detection to prevent and protect against identity theft during customer account takeovers and fraudulent transfers.
  • Firms’ practices to prevent account intrusions and safeguard customer records and information.
  • Address operational risk, including technology risks, as operational failures may impact a firm’s ability to safeguard customer records and information.

Cybersecurity Awareness Training
  • Firm training on identity theft prevention program.

Vendor Risk Assessments
  • Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.

2025 SEC Exam Priorities

Drawbridge Service

Exam Priority Expectation

Written Information Security Policy

Incident Response Plan

Business Continuity Plan
  • Firms’ policies and procedures, governance practices, data loss prevention, access controls, account management, and responses to cyber-related incidents, including those related to ransomware attacks.

Vendor Risk Assessments
  • Cybersecurity risks and resiliency goals associated with third-party products, sub-contractors, services, and any information technology (IT) resources used by the business without the IT department’s approval, knowledge or oversight, or non-supported infrastructure.

Cyber Risk Intelligence

Vulnerability Management

Penetration Testing
  • Assessments of how registrants identify and address these risks to essential business operations.

Don’t be left behind

Drawbridge Cyber Risk Intelligence services allow you to compare your Drawbridge cyber security score against your peers. We work with you to ensure your risk profile continuously improves and keeps pace with industry progress.

Related Insights

  • Two professionals reviewing cybersecurity and operational risk documentation in a modern office

    Cyber Risk Intelligence: Turning Data into Resilience for Alternative Investments

    By Eric Bernstein, CEO, Drawbridge Why intelligence-led approaches are essential to meet rising threats, regulatory demands and investor expectations The alternative investment industry is entering a new era of scrutiny. Regulators, investors and counterparties are paying closer attention to how firms manage operational risk, and cybersecurity sits at the heart of that conversation. Threat actors…

    Read more: Cyber Risk Intelligence: Turning Data into Resilience for Alternative Investments
  • Professional reviewing cybersecurity risk metrics on a printed report, reflecting Drawbridge’s technology-driven approach to monitoring, assessing, and managing security risk for alternative investment firms.

    Cyber Security Scoring: A Smarter Way to Benchmark Risk

    By Art Murphy A few weeks ago, I sat down with a table full of C-level execs from private equity and hedge funds. The conversation went wide from SEC prep (of course) to cyber hygiene, and then someone mentioned an LP asking about their Drawbridge Score and the whole table paused. No one asked, “What’s that?” They…

    Read more: Cyber Security Scoring: A Smarter Way to Benchmark Risk
  • A business professional reviewing cybersecurity performance metrics on a tablet during a meeting, illustrating data-driven cyber resilience discussions within an investment firm.

    From Compliance to Confidence

    Cyber Resilience as a Strategic Advantage in Alternative Investments By Eric Bernstein, CEO, Drawbridge We continue to see the topic of cybersecurity move from the back office to the investment committee. What was once a compliance obligation is now a defining factor in investor trust and capital allocation. For alternative investment firms, cyber resilience has…

    Read more: From Compliance to Confidence