The SEC has released its Examination Priorities: Fiscal Year 2025 (“Examination Priorities”), which may be a useful roadmap to SEC-registered investment advisers, exchanges, and other entities subject to routine examination by the SEC Division of Examinations (“EXAMS”). The Examination Priorities represent the EXAMS Staff’s identification of areas of heightened risks to investors and/or the integrity of the U.S. capital markets, based upon the prior years’ examinations, market events, information gathered from conversations with investors and industry groups, as well as information from other regulators. Although the Examination Priorities are not a comprehensive list of the issues that EXAMS will scrutinize in examinations, as in prior years information security and operational resiliency remain a focus. In particular, the SEC identified the following risk areas impacting various market participants.
- Cybersecurity: Noted as “a perennial examination priority,” the SEC will continue to review registrant practices to prevent interruptions to mission critical services and to protect investor information, records, and assets. As part of its examinations, EXAMS will examine registrants’ procedures and practices to assess whether they are reasonably managing information security and operational risks, with particular focus on governance practices, data loss prevention, access controls, account management, and incident response. EXAMS will continue to assess how registrants manage third-party risks from sub-contractors and third-party products.
- Regulations S-ID and S-P: As in prior years, examinations in this area will focus on firms’ policies and procedures, internal controls, oversight of third-party vendors, and governance practices. For firms providing electronic investment services, EXAMS indicated that it would place emphasis on such policies and procedures as they pertain to safeguarding customer records and information. Firms should have appropriate identification and detection controls to prevent account takeovers, account intrusions, identity theft, and fraudulent transfers. In preparation for the compliance date of the SEC’s amendments to Reg S-P, EXAMS will engage with firms during examinations about their progress in preparing to establish incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. As compliance dates for these additional cybersecurity compliance and incident reporting provisions approach at year-end 2025 and June 2026, EXAMS appears to be laying the groundwork for a more rigorous examinations environment.
- Emerging Financial Technologies: EXAMS remains focused on registrants’ use of AI and trading algorithms or platforms, and the risks associated with the use of emerging technologies and alternative sources of data. In particular, EXAMS will examine firms that employ digital investment advisory services, recommendations, and related tools and methods to ensure their use is consistent with the registrants’ regulatory obligations to investors. According to EXAMS, firms should ensure their representations regarding the use of AI are accurate and that use of AI is supervised. And while the SEC’s promised regulation on the use of certain types of predictive data analytics and other AI has yet to be adopted, SEC Chair Gary Gensler recently stated that the primary goal will be to stop brokers from using algorithms that place the interests of business above those of the customer.
- Regulation Systems Compliance and Integrity (“SCI”): Entities subject to Reg SCI must establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their systems’ capacity, integrity, resiliency, availability, and security is adequate to maintain their operational capability and promote the maintenance of fair and orderly markets. As such, the EXAMS will examine SCI entities’ business continuity planning and testing practices, effectiveness of incident response plans (including ability to disconnect or reconnect to registrants or third parties), and cybersecurity policies and procedures generally.
SEC registrants subject to examination may also wish to consider the broader context of recent SEC enforcement actions, including the waves of cases imposing penalties for books and records violations associated with the use of out-of-band or ephemeral messaging. As the SEC lays the groundwork for more robust enforcement of investment advisers via cybersecurity-related rulemaking, the recently settled enforcement action against four public companies for allegedly misleading breach disclosures suggests the SEC will continue to aggressively bring cases that rely on cybersecurity risk management and disclosure rules.
