Regulatory Reference

SEC & FINRA Cybersecurity Requirements for Advisors and Broker-Dealers

Registered investment advisers and broker-dealers are subject to binding cybersecurity rules — Regulation S-P, Regulation S-ID, and FINRA Rules 3110 and 4370 — plus annual examination priorities that test how firms evidence them. This page compiles the requirements, exact language, and source documents in one place.

By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026

SEC-registered advisors and FINRA member broker-dealers face overlapping cybersecurity requirements: Regulation S-P’s Safeguards Rule and its 2024 incident-response amendments, Regulation S-ID identity theft programs, and FINRA Rules 3110 and 4370. All are now fully in effect — the final Reg S-P compliance date passed on June 3, 2026 — and examiners test documented evidence, not intent.

Related: Compliance Readiness · Firm Security · NYDFS Part 500 · AI Regulatory Guidance

Summary

What Both Regulators Require

SEC rules and FINRA rules approach cybersecurity from different angles — consumer privacy, market integrity, supervision — but converge on the same set of documented, testable controls.

Written Safeguards

Regulation S-P’s Safeguards Rule requires written policies and procedures addressing administrative, technical, and physical safeguards for customer information. This is the foundation document examiners request first.

Incident Response & 30-Day Notice

The 2024 Reg S-P amendments require a written incident response program that detects, responds to, and recovers from unauthorized access — and notifies affected individuals within 30 days.

Identity Theft Prevention

Regulation S-ID requires a written program to identify, detect, and respond to identity theft red flags — and to keep the program updated as threats change.

Vendor Oversight

Firms must oversee service providers that touch customer information, including contractual assurance that vendors notify the firm of a breach within 72 hours. FINRA flags third-party risk as a recurring exam finding.

Business Continuity

FINRA Rule 4370 requires a written business continuity plan covering data backup and recovery and mission-critical systems, reviewed annually and approved by senior management.

Supervision & Accountability

FINRA Rule 3110 places final responsibility for supervision on the member firm — including supervision of the technology and vendors the firm relies on. Outsourcing a function does not outsource the obligation.

Examination Focus

The SEC’s FY2026 priorities call cybersecurity a perennial examination priority: governance, data loss prevention, access controls, account management, and ransomware response and recovery.

Evidence, Not Intent

Both regulators examine documents: written policies, risk assessments, incident response test results, vendor due-diligence files, training records, and BCP review sign-offs.

SEC — Securities and Exchange Commission
Adopted May 16, 2024 — Fully in Effect June 3, 2026
Regulation S-P Amendments: Incident Response & 30-Day Customer Notification

The SEC adopted amendments to Regulation S-P covering broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents — collectively, “covered institutions.”

“The amendments require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” — SEC Press Release 2024-58, May 16, 2024
“A covered institution must provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” — 17 CFR § 248.30(a)(4)(iii)
Covered Institution Compliance Date
Larger entities — RIAs with $1.5 billion or more in AUM; investment companies with $1 billion or more in net assets (with related funds); broker-dealers and transfer agents that are not “small entities” under Exchange Act Rule 0-10December 3, 2025 (passed)
Smaller entities — all other covered institutionsJune 3, 2026 (passed)
What examiners ask for: Both compliance dates have passed — every covered institution must now evidence a written incident response program, customer notification procedures that meet the 30-day clock, and records documenting compliance. The SEC’s FY2026 priorities state examiners will check whether these policies were “developed, implemented, and maintained.”
SEC Press Release 2024-58
17 CFR § 248.30 — Current Rule Text
The Safeguards Rule: Written Policies for RIAs and Broker-Dealers
“Every covered institution must develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.” — 17 CFR § 248.30(a)(1)

The written policies must be reasonably designed to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards, and protect against unauthorized access or use. The amended rule also extends oversight to service providers:

“Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.” — 17 CFR § 248.30(a)(5), service provider requirements
What examiners ask for: The written safeguards policy itself — not a description of practices. Examiners then test whether the document matches reality: access controls, encryption and disposal practices, and vendor contracts or oversight procedures that secure the 72-hour breach notification from service providers.
17 CFR § 248.30 (eCFR)
Adopted April 2013 — Actively Enforced
Regulation S-ID: Identity Theft Red Flags
“The SEC’s identity theft red flags rules require certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to: identify relevant types of identity theft red flags; detect the occurrence of those red flags; respond appropriately to the detected red flags; and periodically update the identity theft program.”
“SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts include most registered brokers, dealers, and investment companies, and some registered investment advisers.”

Regulation S-ID is actively enforced. In July 2022 the SEC charged JPMorgan Securities, UBS, and TradeStation for deficient identity theft prevention programs, with civil penalties of $1.2 million, $925,000, and $425,000 respectively.

What examiners ask for: The written identity theft prevention program, evidence it is administered (board or senior-management oversight, staff training records, service provider oversight), and proof it has been periodically updated — the FY2026 priorities specifically flag detection of red flags “during customer account takeovers and fraudulent transfers.”
SEC Identity Theft Red Flags Rules Guide
SEC Press Release 2022-131 (Enforcement)
November 17, 2025
FY2026 Examination Priorities: Cybersecurity, Reg S-ID & Reg S-P
“A perennial examination priority, the Division’s focus on cybersecurity practices by registrants remains vital to help ensure the safeguarding of customer records and information. Particular attention will be on firms’ policies and procedures pertaining to governance practices, data loss prevention, access controls, account management, and responses and recovery to cyber-related incidents, including those related to ransomware attacks.”
“The Division will assess compliance with Regulations S-ID and S-P, as applicable. Examinations will focus on firms’ policies and procedures, internal controls, oversight of third-party vendors, and governance practices.”
“After the applicable compliance dates, the Division will examine whether firms have developed, implemented, and maintained policies and procedures in accordance with the rule’s new provisions that address administrative, technical, and physical safeguards for the protection of customer information.”
What examiners ask for: The FY2026 priorities read like a document request list — governance records, data loss prevention configurations, access control reviews, account management procedures, and incident response and recovery evidence, with third-party vendor oversight named explicitly for both Reg S-ID and Reg S-P.
SEC FY2026 Exam Priorities (PDF)

Scope note: the SEC’s 2023 cybersecurity disclosure rules — Form 8-K Item 1.05 material incident reporting and Regulation S-K Item 106 — apply to public companies (issuers), not to registered advisers or broker-dealers as such. The rules on this page are the ones that govern advisory firms and broker-dealers directly.

FINRA — Financial Industry Regulatory Authority
December 9, 2025
2026 Annual Regulatory Oversight Report: Cybersecurity
“Cybersecurity incidents may expose firms to loss of customer information, financial losses, reputational risks and operational failures.”
“Rule 30 of SEC Regulation S-P requires member firms to, among other things, have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer information.”

Effective practices FINRA highlights include:

“Use multi-factor authentication (MFA) for login access to the firm’s systems, including email and operational systems accessed by associated persons, firm staff, contractors and customers.”
“Regularly train staff on cybersecurity measures, including how to identify and report phishing or social engineering attacks.”

The report also reminds members of the Reg S-P deadlines — “Larger entities were required to comply with the amendments to Regulation S-P by Dec. 3, 2025. Smaller entities must comply with the amendments by June 3, 2026” — and tells firms to monitor risk arising from relationships with vendors.

What examiners ask for: FINRA exams probe the controls the report names — MFA coverage across staff, contractors, and customers; phishing and social engineering training records; imposter-domain monitoring; and vendor risk monitoring. The report doubles as FINRA’s notice that it treats Reg S-P compliance as its business too.
2026 Oversight Report — Cybersecurity
FINRA Rule 4370
Business Continuity Plans
“Each member must create and maintain a written business continuity plan identifying procedures relating to an emergency or significant business disruption.”
“Each member must also conduct an annual review of its business continuity plan to determine whether any modifications are necessary in light of changes to the member’s operations, structure, business, or location.”

The plan must address, at minimum: data backup and recovery (hard copy and electronic); all mission-critical systems; financial and operational assessments; alternate communications with customers and employees; alternate physical locations; critical business constituent, bank, and counterparty impact; regulatory reporting; communications with regulators; and prompt customer access to funds and securities if the firm cannot continue its business. A member of senior management must approve the plan and is responsible for the required annual review.

What examiners ask for: The written BCP itself, the dated annual review, and the senior-management approval — plus evidence the plan works: backup and recovery test results for the data and mission-critical systems the rule names. A ransomware event is a business disruption; examiners increasingly read Rule 4370 through that lens.
FINRA Rule 4370
FINRA Rule 3110
Supervision — Including Technology and Vendors
“Each member shall establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.”
“Final responsibility for proper supervision shall rest with the member.”

FINRA lists Rule 3110 among the rules its cybersecurity examinations rest on. In practice, supervision extends to the systems and vendors a firm’s business runs on: a member that outsources email, trading platforms, or data storage retains full responsibility for supervising how those services protect customer information and comply with securities regulations.

What examiners ask for: Written supervisory procedures (WSPs) that cover technology and vendor-provided systems, designated principals responsible for them, and documentation showing the supervision actually happened — vendor due-diligence files, access reviews, and branch-office technology controls.
FINRA Rule 3110
Ongoing Guidance
FINRA Cybersecurity Guidance & Small Firm Tools

FINRA’s cybersecurity topic page anchors its examination approach: reviews of firms’ controls across technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls, and staff training — assessing, in FINRA’s words, “a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.”

For firms without large security teams, FINRA publishes the Report on Selected Cybersecurity Practices (2018), the Small Firm Cybersecurity Checklist, and Core Cybersecurity Threats and Effective Controls for Small Firms — practical baselines FINRA expects small members to have considered.

What examiners ask for: FINRA’s exam control categories map one-to-one to its guidance. A small firm that can produce a completed cybersecurity checklist, a current risk assessment, and evidence for each control category enters an exam with the record FINRA’s own tools define.
FINRA Cybersecurity Topic Page
Small Firm Cybersecurity Checklist

Exam-Ready Evidence for Every Requirement on This Page

FCI’s managed cybersecurity services produce the documented evidence these rules require — written safeguards, incident response, vendor oversight, and business continuity — mapped to what SEC and FINRA examiners actually request.