Regulatory Reference
SEC & FINRA Cybersecurity Requirements for Advisors and Broker-Dealers
Registered investment advisers and broker-dealers are subject to binding cybersecurity rules — Regulation S-P, Regulation S-ID, and FINRA Rules 3110 and 4370 — plus annual examination priorities that test how firms evidence them. This page compiles the requirements, exact language, and source documents in one place.
By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026
SEC-registered advisors and FINRA member broker-dealers face overlapping cybersecurity requirements: Regulation S-P’s Safeguards Rule and its 2024 incident-response amendments, Regulation S-ID identity theft programs, and FINRA Rules 3110 and 4370. All are now fully in effect — the final Reg S-P compliance date passed on June 3, 2026 — and examiners test documented evidence, not intent.
Related: Compliance Readiness · Firm Security · NYDFS Part 500 · AI Regulatory Guidance
Summary
What Both Regulators Require
SEC rules and FINRA rules approach cybersecurity from different angles — consumer privacy, market integrity, supervision — but converge on the same set of documented, testable controls.
Regulation S-P’s Safeguards Rule requires written policies and procedures addressing administrative, technical, and physical safeguards for customer information. This is the foundation document examiners request first.
The 2024 Reg S-P amendments require a written incident response program that detects, responds to, and recovers from unauthorized access — and notifies affected individuals within 30 days.
Regulation S-ID requires a written program to identify, detect, and respond to identity theft red flags — and to keep the program updated as threats change.
Firms must oversee service providers that touch customer information, including contractual assurance that vendors notify the firm of a breach within 72 hours. FINRA flags third-party risk as a recurring exam finding.
FINRA Rule 4370 requires a written business continuity plan covering data backup and recovery and mission-critical systems, reviewed annually and approved by senior management.
FINRA Rule 3110 places final responsibility for supervision on the member firm — including supervision of the technology and vendors the firm relies on. Outsourcing a function does not outsource the obligation.
The SEC’s FY2026 priorities call cybersecurity a perennial examination priority: governance, data loss prevention, access controls, account management, and ransomware response and recovery.
Both regulators examine documents: written policies, risk assessments, incident response test results, vendor due-diligence files, training records, and BCP review sign-offs.
The SEC adopted amendments to Regulation S-P covering broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents — collectively, “covered institutions.”
| Covered Institution | Compliance Date |
|---|---|
| Larger entities — RIAs with $1.5 billion or more in AUM; investment companies with $1 billion or more in net assets (with related funds); broker-dealers and transfer agents that are not “small entities” under Exchange Act Rule 0-10 | December 3, 2025 (passed) |
| Smaller entities — all other covered institutions | June 3, 2026 (passed) |
The written policies must be reasonably designed to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards, and protect against unauthorized access or use. The amended rule also extends oversight to service providers:
Regulation S-ID is actively enforced. In July 2022 the SEC charged JPMorgan Securities, UBS, and TradeStation for deficient identity theft prevention programs, with civil penalties of $1.2 million, $925,000, and $425,000 respectively.
SEC Press Release 2022-131 (Enforcement)
Scope note: the SEC’s 2023 cybersecurity disclosure rules — Form 8-K Item 1.05 material incident reporting and Regulation S-K Item 106 — apply to public companies (issuers), not to registered advisers or broker-dealers as such. The rules on this page are the ones that govern advisory firms and broker-dealers directly.
Effective practices FINRA highlights include:
The report also reminds members of the Reg S-P deadlines — “Larger entities were required to comply with the amendments to Regulation S-P by Dec. 3, 2025. Smaller entities must comply with the amendments by June 3, 2026” — and tells firms to monitor risk arising from relationships with vendors.
The plan must address, at minimum: data backup and recovery (hard copy and electronic); all mission-critical systems; financial and operational assessments; alternate communications with customers and employees; alternate physical locations; critical business constituent, bank, and counterparty impact; regulatory reporting; communications with regulators; and prompt customer access to funds and securities if the firm cannot continue its business. A member of senior management must approve the plan and is responsible for the required annual review.
FINRA lists Rule 3110 among the rules its cybersecurity examinations rest on. In practice, supervision extends to the systems and vendors a firm’s business runs on: a member that outsources email, trading platforms, or data storage retains full responsibility for supervising how those services protect customer information and comply with securities regulations.
FINRA’s cybersecurity topic page anchors its examination approach: reviews of firms’ controls across technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls, and staff training — assessing, in FINRA’s words, “a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.”
For firms without large security teams, FINRA publishes the Report on Selected Cybersecurity Practices (2018), the Small Firm Cybersecurity Checklist, and Core Cybersecurity Threats and Effective Controls for Small Firms — practical baselines FINRA expects small members to have considered.
Small Firm Cybersecurity Checklist
Reference
Source Documents
| Regulator | Document | Date |
|---|---|---|
| SEC | Regulation S-P Amendments (Press Release 2024-58) | May 2024 |
| SEC | 17 CFR § 248.30 — Safeguards & Incident Response (eCFR) | Current |
| SEC | Identity Theft Red Flags Rules (Reg S-ID) Compliance Guide | Apr 2013 |
| SEC | Reg S-ID Enforcement (Press Release 2022-131) | Jul 2022 |
| SEC | FY2026 Examination Priorities | Nov 2025 |
| FINRA | 2026 Annual Regulatory Oversight Report — Cybersecurity | Dec 2025 |
| FINRA | Reg S-P Compliance Date Reminder | Nov 2025 |
| FINRA | Rule 4370 (Business Continuity Plans) | Current |
| FINRA | Rule 3110 (Supervision) | Current |
| FINRA | Cybersecurity Key Topics & Reports | Ongoing |
| FINRA | Small Firm Cybersecurity Checklist | Ongoing |
Exam-Ready Evidence for Every Requirement on This Page
FCI’s managed cybersecurity services produce the documented evidence these rules require — written safeguards, incident response, vendor oversight, and business continuity — mapped to what SEC and FINRA examiners actually request.