Cybersecurity Regulatory Risk Management for Investment Advisors and Broker-Dealers

Looming technology threats and evolving regulations are two thoughts that occupy the minds of investment advisors and broker-dealers. Meeting regulatory expectations can seem daunting, especially with the emergence of new technology and the unpredictable nature of breaches. Even minor breaches cause significant financial, legal, and reputational implications. Advisors and dealers must be aware of current cybersecurity regulations, technology trends, and actionable strategies to mitigate potential risks.

Key Takeaways:

• It's imperative to have a strategic cybersecurity risk management approach.
• Compliance doesn’t guarantee security. Real resilience demands proactive, continuous improvement.
• Do not let uncertainty delay your cybersecurity progress. Consult with a third-party expert to build or enhance your cybersecurity framework.

2025 Regulatory Landscape Shifts and Their Impact

As questions on how to best navigate emerging technologies while protecting companies, investment advisors, and broker-dealers continue, federal and state governments are focused on data privacy laws and creating regulations. Due to the United States’ evolving framework, organizations must stay updated to maintain data compliance and steady business operations. Organizations should implement a robust and dynamic data privacy framework to effectively protect their employees, clients, and stakeholders. A key example of how organizations can safeguard their people and sensitive client information can be seen in the rules outlined in the amended Regulation S-P for broker-dealers and investment advisers.  The amendment provides new guidelines for organizations to develop, protect, and maintain security, such as:

• Incident response programs
• Notification requirements
• Service provider oversight

While broker-dealers and investment advisers are required to implement these guidelines, all firms that do so will be better prepared to detect, respond, and recover from a threat, while also being better prepared to implement new, innovative technologies, such as artificial intelligence (AI).

AI sparks many questions and concerns among businesses and governments. With the newness and unknowns comes a lack of trust and an increased need for regulatory protection. Governments are developing AI regulations that will emphasize risk management and transparency. This will help organizations strengthen their security posture, policies, and overall business environment.

Impact of the June 2025 Withdrawals

In June 2025, the SEC proposed withdrawing 14 rules, several of which pertained to cybersecurity and AI governance for financial institutions. The withdrawal ultimately means there will be less stringent government oversight, leading to a slew of operational challenges.

The Regulatory Vacuum and Compliance Implications

Currently, organizations in the United States face a regulatory vacuum, meaning there are no clear regulations, laws, or oversight processes in place. This ‘vacuum’ typically occurs when technologies develop faster than governing parties can keep up or when existing regulations no longer apply to the new landscape. The gap in regulation leads to several compliance challenges, such as balancing limited compliance resources to address cybersecurity risks, as well as having confidence that an adequate compliance program and governance framework are in place, as there is no official in-depth guidance to follow. Even without the official framework, organizations must still develop strong cybersecurity policies to have a strategic and proactive approach to cybersecurity and AI governance.

Cybersecurity Threat landscape for Financial Services

As reliance on technology increases, industries are increasingly relying more heavily on efficient and reliable technology. Professionals in the financial services industry face many threats and vulnerabilities.

Threats Investment Advisors Face

Investment advisors often handle confidential information, leaving them, their investments, and their stakeholders vulnerable to threats and regulatory risks. Common threats include social engineering targeted at client accounts, wire fraud, and credential harvesting. These threats have critical business impacts on investment advisors and could result in a loss of investment, stakeholder trust, and overall financial and reputational damages.

Broker-Dealer Vulnerabilities

Similar to investment advisors, broker-dealers are also subject to cyber-attacks and threats. Bad-faith actors employ exploitation tactics to target complex systems, leading to increased risk and exposure. In fact, 88% of broker-dealers report being targets of cyber attacks such as phishing scams or employee misconduct, either directly or through their third-party vendors. This large number underscores the importance of a strong cybersecurity foundation, because without one, it has the potential to severely impact business operations.  

Mitigating Cybersecurity Risks: Best Practices

As the SEC continues to evolve cyber risk management regulations, investment advisors and broker-dealers must understand the importance of strong cyber controls. Advisors and dealers must proactively plan prior to the threat. To do so, the most effective steps include:

• Conducting a cybersecurity risk assessment: A complete review of a firm’s cybersecurity policies and procedures should reveal any control deficiencies.  Without such an assessment, no firm can be sure how best to prevent breaches of customer data.
• Performing penetration and vulnerability testing: Firms must understand the vulnerability of client/customer data before they can protect the information. Prior enforcement cases have made it clear that failure to take adequate protection under Reg S-P will result in regulatory sanctions. As a result, many advisors and brokers hire third parties for vulnerability testing.
• Examining the adequacy of policies and procedures: Advisors and brokers often fail to establish and implement policies and procedures that are reasonably designed to prevent and detect non-compliance. Cybersecurity is no different. Compliance officers should collaborate with their firm’s chief information security officers (CISOs) or equivalent to adequately address information security, technology policies, and cyber risks.
• Reviewing business continuity plans: The SEC’s proposed rule suggests that BCPs should incorporate cybersecurity disruptions. When testing a BCP’s effectiveness, simulate scenarios where a cyber breach triggers the activation of an incident response plan.

Building Cybersecurity Resilience

In the digital age, investment advisors and broker-dealers must continue to prioritize compliance in terms of impact and effort. Establishing a robust compliance and data governance framework will enable them to develop better practices, which will have a positive overall effect on the firm. At EisnerAmper, we understand the importance of data governance, technology integration, and maintaining compliance. Our cross-functional cyber compliance team and financial services group work together to develop an integrated approach that helps secure sensitive information, perform ongoing monitoring, and effectively manage policies. Learn how EisnerAmper can help protect you, your investments, and your information today.