Cybersecurity enforcement trends: what investment advisers need to know

By Sean Wilke, Head of Growth Strategy, Compliance, Americas

The U.S. Securities and Exchange Commission (SEC) continues to treat cybersecurity and data privacy failures as violations of fiduciary duty, not merely IT or operational lapses. Recent enforcement actions and examination findings reveal a consistent message: cybersecurity is a core compliance function requiring documented governance, active supervision and evidence of implementation.

Based on recent cases and regulatory guidance, several critical themes have emerged that every investment adviser must understand and address.

1. Cybersecurity and privacy are fiduciary obligations

The SEC frames cybersecurity failures as breaches of the duty of care and supervision under Sections 206 and 206(4) of the Investment Advisers Act. Advisers are expected to protect client information with reasonable safeguards, and deficient controls alone are sufficient for enforcement without requiring evidence of an actual breach.

Common issues include:

• Treating cybersecurity as an IT function rather than a compliance obligation
• Inadequate senior management oversight and board-level reporting
• Failure to integrate cybersecurity into governance structures

Cybersecurity risk management must be embedded in the firm’s overall compliance program with active oversight from compliance officers and senior leadership.

2. Written policies must be implemented, not aspirational

Recent enforcement actions consistently cite advisers for having cybersecurity and privacy policies that were incomplete or worse, policies that existed but were not followed. The SEC emphasizes that written policies alone do not satisfy compliance obligations.

Common deficiencies:

• Generic or boilerplate policies not tailored to actual business practices
• Inadequate risk assessments that fail to identify critical systems and data
• Failure to test or update policies as threats evolve
• Absence of documentation showing policies are followed

A generic or stale cybersecurity policy is now a liability. Advisers must demonstrate that policies are tailored, regularly reviewed and actually followed in practice through training records, testing results and risk assessment documentation.

3. Regulation S-P Safeguards Rule violations are low-hanging fruit

The amended Regulation S-P Safeguards Rule has become a primary enforcement hook. The SEC is enforcing process failures, not just breach outcomes. Recent cases show enforcement action when advisers fail to establish adequate processes even without actual incidents.

Common deficiencies cited:

• No formal incident response plan with defined roles and escalation procedures
• Weak vendor oversight and due diligence processes
• Insufficient access controls including lack of multi-factor authentication
• No periodic risk assessment of systems holding client data

Process documentation, governance structures and regular testing are essential to demonstrate Regulation S-P compliance.

4. Vendor and service provider oversight is a recurrent failure point

Many enforcement and investigative cases stem from third-party breaches at cloud providers, email vendors or portfolio systems. The SEC’s position is clear: advisers remain responsible for client data even when functions are outsourced.

Common gaps:

• Lack of due diligence or monitoring of vendor security practices
• No contractual safeguards around data security or breach notification
• Inadequate inventory of which vendors have access to what data

Vendor risk is adviser risk. Delegation does not reduce liability. Advisers should treat vendor management as a core component of their cybersecurity program with documented due diligence, contractual protections and periodic reviews.

5. Incident response and escalation breakdowns drive enforcement

Where breaches occurred, the SEC focused less on the hack itself and more on how the adviser responded. An effective incident response plan is a regulatory expectation, not optional.

Areas of scrutiny:

• Delayed internal escalation to senior management or compliance
• Poor documentation of response decisions and actions taken
• Failure to assess client harm promptly
• Inadequate client notification processes

Plans should identify decision-makers, establish escalation protocols and outline communication procedures. Tabletop exercises help identify gaps before actual incidents occur. How you respond matters as much as what happened.

6. Privacy failures can trigger enforcement without investor loss

Recent cases confirm that the SEC does not need to show client financial harm. Exposure of personally identifiable information or confidential data alone is sufficient to support enforcement, particularly if controls are weak. Even limited incidents can support enforcement if they reveal systemic vulnerabilities.

“No harm, no foul” is not a defense. The duty to protect client information exists independent of whether that information is ultimately exploited.

7. Marketing and disclosure statements are enforceable

The SEC has scrutinized website statements about data security, client disclosures describing “robust” or “institutional-grade” controls and inconsistencies between public claims and actual practices.

Key issues:

• Marketing materials claiming security measures that cannot be substantiated
• Form ADV disclosures inconsistent with actual controls
• Vague claims like “best-in-class security” without supporting evidence

Cybersecurity representations are treated like any other compliance disclosure. Accuracy is mandatory. Specific claims must be verifiably true.

8. Exams are feeding enforcement

Many cybersecurity cases originate from routine exams where staff identified inadequate documentation, no evidence of testing or inconsistent practices across business lines. Cybersecurity is an explicit SEC examination priority and deficiencies in this area are increasingly referred for enforcement.

Common exam findings:

• Missing documentation of policies, risk assessments or incident response
• No evidence policies are tested, reviewed or updated
• Failure to maintain records demonstrating compliance with stated policies

Assume cyber findings in exams can become enforcement referrals. Documentation, consistency and evidence of active implementation are critical.

Immediate steps for compliance teams

• Conduct a gap analysis of current cybersecurity policies against actual practices
• Document and test incident response plans through tabletop exercises
• Audit vendor agreements for contractual safeguards and breach notification requirements
• Review all marketing materials and Form ADV for accuracy of cybersecurity claims
• Establish periodic risk assessments with documented results
• Integrate cybersecurity oversight into board reporting and compliance testing

The SEC’s enforcement posture makes clear that cybersecurity and privacy are compliance obligations requiring tailored policies, documented governance and evidence of execution. Advisers that can demonstrate active supervision and ongoing testing are far better positioned than those relying on policy documents alone.

How we can help

IQ-EQ supports advisers in building exam-ready cybersecurity compliance frameworks. Our services include:

• Cybersecurity program reviews to assess policies, controls and documentation
• Gap analysis and compliance testing for Regulation S-P requirements
• Incident response plan development and tabletop exercise facilitation
• Vendor due diligence frameworks and agreement templates
• Employee training on cybersecurity obligations and SEC expectations

Our U.S. regulatory compliance team provides both immediate remediation support and long-term strategic partnerships to help you maintain compliant cybersecurity practices. Get in touch today to learn more