Cybersecurity Governance for SEC-Regulated Firms: What the 2023 Rules Require and Where Most Firms Fall Short

The SEC's cybersecurity regulatory activity between 2023 and 2026 has been more significant than any prior period in the agency's history. For SEC-regulated organizations — registered investment advisers, broker-dealers, and public companies — cybersecurity is now a formal regulatory compliance obligation with specific documentation, disclosure, and incident response requirements.

This article covers the current regulatory framework, what examination staff are reviewing, and where SEC-regulated firms most frequently have compliance gaps in their cybersecurity governance programs.

The Current Regulatory Framework

SEC Cybersecurity Rules for Public Companies (2023)

The SEC adopted new cybersecurity disclosure rules for public reporting companies in July 2023, effective December 2023. These rules require:

*Material incident disclosure.* Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining an incident is material. The determination of materiality is the company's responsibility and must be made promptly.

*Annual disclosure of cybersecurity risk management.* Form 10-K must now include disclosures about the company's processes for identifying, assessing, and managing material cybersecurity risks, whether those processes are integrated into the company's overall risk management, and the role of the board and management in cybersecurity oversight.

*Board oversight disclosure.* Public companies must disclose the board's role in oversight of cybersecurity risk and whether any board member has cybersecurity expertise.

SEC Examination Priorities for RIAs and Broker-Dealers

The Division of Examinations' cybersecurity priorities for registered advisers and broker-dealers focus on:

Identity and access management controls protecting client accounts and data

The security of customer information under Reg S-P

Cybersecurity incident response planning and testing

Third-party and vendor cybersecurity risk management

The security of client-facing portals and digital systems

The Division has consistently cited cybersecurity as an examination priority since 2015. The 2026 examination priorities continue this focus with specific attention to AI-related cybersecurity risks — including threat actors using AI to conduct more sophisticated phishing, social engineering, and credential attacks against financial services firms.

Reg S-P Amendments (2024)

The SEC adopted amendments to Regulation S-P in May 2024 that significantly strengthened customer information protection requirements for broker-dealers and investment advisers:

Extended the safeguards rule to cover more categories of customer information

Added an incident response program requirement with specific elements

Required notification to affected customers within 30 days of discovering a covered incident

Extended Reg S-P obligations to transfer agents

These amendments are not aspirational guidance. They are enforceable rules. Firms without compliant incident response programs face examination criticism and potential enforcement action.

Where SEC-Regulated Firms Are Most Exposed

Inadequate incident response programs. The most common cybersecurity governance gap in SEC-regulated firms is an incident response plan that exists on paper but has never been tested and lacks the operational specificity required by the amended Reg S-P. Examiners will ask for the plan, ask when it was last tested, and ask for documentation of that test.

No materiality assessment process. For public companies subject to the 2023 cybersecurity rules, the absence of a documented process for making materiality determinations following a cybersecurity incident is an immediate disclosure control deficiency. Companies that experience an incident and cannot demonstrate a prompt, documented materiality assessment risk both late disclosure violations and potential securities fraud exposure.

Third-party vendor gaps. Most financial services cybersecurity incidents originate with third-party vendors — technology providers, cloud platforms, payroll processors, or service firms with access to the firm's systems. Examiners review vendor management programs for evidence of cybersecurity due diligence, contractual protections, and ongoing vendor monitoring.

Insufficient access controls. Shared credentials, dormant accounts with active access, former employees with system access, service accounts with excessive privileges. Access control deficiencies are among the most consistent examination findings across the financial services sector.

No board-level cybersecurity reporting. For public companies, the 2023 rules created formal board oversight disclosure obligations. For RIAs and broker-dealers, FINRA and SEC examination staff expect evidence that senior management and, for larger firms, the board is actively engaged in cybersecurity oversight — not merely informed after incidents occur.

What a Defensible Cybersecurity Governance Program Requires

Risk assessment with defined methodology. An annual cybersecurity risk assessment using a recognized framework (NIST CSF, ISO 27001, or CIS Controls) with documented findings and remediation tracking. The assessment must be current — examiners will review the date and scope.

Technically enforced access controls. MFA on all systems, including email and client portals. Quarterly access reviews with documented results. Privileged account management. Automated deprovisioning for terminated employees. These controls must be active and verifiable — not just described in a policy.

Incident response program with documented testing. A written IR plan addressing the specific incident types relevant to the firm (ransomware, credential compromise, wire fraud, vendor breach) with annual tabletop exercise documentation and an escalation matrix that reaches senior management and the board where required.

Vendor cybersecurity due diligence. A documented process for evaluating the cybersecurity posture of vendors with access to firm systems or client data, including contract provisions requiring breach notification, security standards, and audit rights.

Customer notification procedures. Under the amended Reg S-P, firms must have documented procedures for identifying affected customers following a covered incident and notifying them within 30 days. This requires knowing what data each vendor and system holds about which customers — which requires a data inventory most firms have not built.

Board and senior management reporting. Regular cybersecurity reporting to senior management with documented board oversight for firms subject to the 2023 disclosure rules.

The Enforcement Environment

The SEC collected $8.2 billion in financial remedies in fiscal year 2024 — the highest in agency history. Cybersecurity-related enforcement actions included penalties against SolarWinds and its CISO for cybersecurity disclosure fraud, R.R. Donnelley for inadequate cybersecurity controls and incident disclosure, and multiple broker-dealers for Reg S-P violations related to customer data protection.

The enforcement signal is clear: cybersecurity governance gaps that result in customer harm, inadequate disclosure, or demonstrable non-compliance with applicable rules will be pursued.

Centience builds cybersecurity governance programs for SEC-regulated organizations on managed infrastructure. Technical controls are active and verifiable. Documentation is assembled in advance of examinations. When the examiner asks for evidence, it exists.