The SEC and FINRA have made cybersecurity enforcement a priority. In November 2025, the SEC settled with an RIA and broker-dealer for Regulation S-P and S-ID violations stemming from email account takeovers affecting 11,452 individuals between 2019 and 2024. FINRA's 2026 Regulatory Oversight Report identifies account takeovers using voice-spoofing technology to defeat two-factor authentication as a major threat, alongside generative AI-enabled fraud involving fake news reports and social media impersonation. The SEC's Examination Division now prioritizes governance practices, data loss prevention, access controls, and ransomware preparedness.
Amended Regulation S-P requirements take effect for larger advisers in 2026, triggering heightened SEC scrutiny. Firms must implement mandatory incident response protocols, customer breach notifications, and enhanced service-provider oversight. RIAs should audit their cybersecurity governance now, stress-test vendor relationships, and ensure breach notification procedures comply with updated standards before the regulatory window tightens.