Regulations describe outcomes. Technology delivers them. Verification produces the artifacts examiners require. This page reorganizes the cybersecurity rules governing broker-dealers, SEC-registered investment advisers, and NYDFS-covered financial institutions into a structure designed to operationalize and defend a program — not just read the rules.
This page reorganizes the cybersecurity rules that govern broker-dealers, SEC-registered investment advisers (RIAs), and NYDFS-covered financial institutions into a structure designed for compliance officers, IT managers, and senior leadership who must operationalize and defend a program — not just read the rules.
Every regulation below is presented in five parts:
A NIST CSF 2.0 function tag is included for each rule as MTradecraft's mapping layer, not a regulator-mandated taxonomy. Examiners increasingly reference the Framework's six functions — Govern, Identify, Protect, Detect, Respond, Recover — when structuring their requests. NYDFS itself does not require any specific framework but references nationally recognized frameworks, including NIST, as relevant points of reference.
A note on Microsoft 365: it is named throughout this page because the overwhelming majority of RIAs and small financial firms operate within the Microsoft 365 / Entra ID / Azure ecosystem. The technology examples are illustrative, not prescriptive. Firms running Google Workspace, on-premises Exchange, or hybrid environments must achieve the same control outcomes using equivalent native tooling.
17 C.F.R. § 275.206(4)-7. Requires every SEC-registered investment adviser to (a) adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, (b) review those policies at least annually for adequacy and effectiveness, and (c) designate a Chief Compliance Officer responsible for administering the program.
The firm must own a written cybersecurity compliance program that is current, effective, tested annually, and supervised by a qualified CCO. "Written" means written — not assumed, not delegated to the MSP, not described verbally. "Effective" means the firm can demonstrate that the policy is followed in practice, not just that the document exists.
The compliance program itself is a document, but its effectiveness rests on operational controls that produce evidence. In a Microsoft 365 environment, the foundational controls include:
The technology control that operationalizes 206(4)-7 is not a single tool — it is the discipline of documenting the firm's intended security posture, configuring the tenant to enforce it, and reviewing both the document and the configuration on a fixed cadence.
The CCO should be able to answer three questions without calling the IT team or the MSP:
If the answers require a phone call, the program is paper-only. Verification at this level means scheduled drift reports comparing the current M365/Azure configuration to the documented baseline, and an annual review meeting that produces a dated, signed memorandum.
17 C.F.R. §§ 248.1–248.100. The 2024 amendments, effective August 2, 2024, expanded Regulation S-P substantially. Compliance was phased in by entity size:
Both compliance dates have now passed. As of June 3, 2026, the amended Regulation S-P is fully in effect for every covered institution, regardless of size. A firm that has not yet adopted the written incident response program, the 30-day individual notification procedures, and the service provider oversight requirements described below is out of compliance today — not preparing for a future deadline.
The amendments require covered institutions to:
The firm must protect customer information from unauthorized access, detect breaches when they occur, notify affected individuals within 30 days, and prove all of it with documentation. The shift from the prior version of the rule is that detection, response, recovery, vendor oversight, and individual notification are no longer best practices — they are explicit, written, testable requirements. The SEC is already enforcing these expectations: see the November 2025 enforcement action discussed under Regulation S-ID below, which charged safeguards failures alongside Red Flags program deficiencies.
Safeguarding customer information (administrative, technical, physical):
Incident response:
Service provider oversight:
For safeguards:
For incident response:
For service provider oversight:
17 C.F.R. § 248.201. Requires covered financial institutions and creditors to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The program must identify relevant red flags, detect them, respond appropriately, and be updated periodically.
RIAs offering or maintaining covered accounts — generally those permitting multiple payments or transactions, such as accounts where clients can transfer funds — must have a documented Red Flags program. The program must list the specific red flags the firm watches for, describe how those red flags are detected, and define the firm's response.
On November 25, 2025, the SEC settled charges against a dual-registered investment adviser and broker-dealer operating a nationwide network of member firms for violations of both the Regulation S-P Safeguards Rule and Regulation S-ID. Between 2019 and 2024, unauthorized actors took over roughly 17 business email accounts across 13 member firms and sent credential-harvesting emails to approximately 8,500 recipients, including a significant number of customers; at least one compromise led to an unauthorized wire transfer. The SEC found the firm lacked an enterprise-wide multi-factor authentication requirement, an adequate incident response framework, and security training — and that its Identity Theft Prevention Program had not been materially updated since at least 2015 and did not address cybersecurity-related red flags. The firm was censured and paid a $325,000 civil penalty.
The takeaway for RIAs: a Red Flags program written once and left static is itself a deficiency. The program must be periodically updated to reflect the firm's actual threat profile — and business email compromise is now squarely within the red flags the SEC expects it to cover.
17 C.F.R. § 275.204-2. Requires SEC-registered investment advisers to make and keep specified books and records. As applied to cybersecurity, the rule requires retention of policies, communications relating to compliance, and records evidencing the firm's compliance program for at least five years from the end of the fiscal year in which the record was created — the first two years in an easily accessible location.
The firm must retain its cybersecurity policies, incident records, communications about cyber matters, evidence of policy reviews and testing, and the underlying records of any investigation, determination, or notification made in connection with a cybersecurity incident. Five years of retention. First two years immediately accessible.
Section 204 (15 U.S.C. § 80b-4) gives the SEC general recordkeeping authority over investment advisers. Section 206 (15 U.S.C. § 80b-6) is the anti-fraud provision — it prohibits any adviser from engaging in fraudulent, deceptive, or manipulative practices.
The firm must not misrepresent its cybersecurity posture to clients, prospects, or regulators. Marketing claims about security, statements in Form ADV, and responses to client DDQs must be accurate and substantiable. A breach that affected client data must be disclosed when disclosure is required; misleading statements about a breach, or about controls that do not exist, are enforceable as fraud regardless of whether a specific cyber rule was violated.
This rule is governed primarily by process, not technology, but technology supports it:
The proposed rule articulated the SEC's view of what a mature RIA cybersecurity program should look like — written policies, annual reviews, 48-hour incident reporting on a proposed Form ADV-C, vendor access governance. The withdrawal removed the prescriptive deadline; it did not remove examiner expectations. The proposal remains a useful indicator of the SEC staff's prior policy direction and overlaps heavily with current obligations under Reg S-P (as amended), Rule 206(4)-7, and Rule 204-2.
For programs already built to those rules there is no operational gap created by the withdrawal. Firms that built their programs assuming 206(4)-9 would never arrive are usually under-prepared for current examination expectations regardless.
FINRA rules apply to broker-dealers. RIAs without a broker-dealer affiliate are not directly subject to FINRA rules, but the cybersecurity expectations are substantially similar and FINRA guidance frequently aligns with SEC examination priorities.
Requires firms to establish and maintain a supervisory system reasonably designed to achieve compliance with applicable securities laws and FINRA rules.
The supervisory system must cover cybersecurity hygiene: access reviews, vendor technology decisions, supervision of associated persons' use of firm technology, and staff training. Common exam findings include outdated policies and missing periodic access reviews.
Quarterly Entra ID access reviews using Microsoft Entra Access Reviews; documented onboarding and offboarding workflows; periodic supervisory reviews of cybersecurity training completion and policy attestation.
Pull the Access Reviews report. Confirm that every reviewer completed every review, that decisions were documented, and that access changes were enforced. Confirm cybersecurity training completion rate exceeds the firm's documented threshold.
Quarterly access review reports, training completion reports, supervisory review memoranda.
Requires annual testing and verification of supervisory controls.
Annual supervisory reviews should include cybersecurity exercises appropriate to the firm's risk profile — typical examples include phishing simulations, tabletop drills, and vendor evaluations.
Phishing simulation platform (FieldCraft or equivalent) running monthly campaigns; documented tabletop exercise program; vendor review schedule aligned to annual cycle.
Annual phishing simulation results with click rates and remediation; tabletop exercise after-action reports; vendor review log.
Annual supervisory control test report covering cybersecurity exercises; phishing simulation history; tabletop exercise documentation.
Requires written business continuity plans for significant business disruptions.
The BCP must explicitly cover cyber incidents — ransomware, distributed denial of service, prolonged platform outages — and must include recovery procedures, testing cadence, and response protocols.
Documented recovery time and recovery point objectives for critical systems; Microsoft 365 backup solution (native retention is not a backup — see the "M365 as a Books and Records issue" topic in The BrainTrust); tested failover procedures.
Annual BCP test that exercises the cyber incident scenarios specifically. Confirm that backups are tested by performing a real restore — not by inspecting the backup console.
Current BCP with cyber scenarios; annual BCP test report; restore test documentation.
Requires firms to report specified events to FINRA, including certain customer complaints and disciplinary actions.
Rule 4530 is not a standalone cyber-incident reporting rule. The obligation, when a cybersecurity event occurs, is to evaluate whether the event triggers one of the rule's enumerated reporting categories — for example, customer complaints, internal discipline arising from a cyber incident, or other reportable events. Coordinate with legal counsel promptly when that evaluation is in play.
Process control. Incident response plan must include a Rule 4530 evaluation step at the appropriate stage of an incident.
During tabletop exercises, confirm the 4530 evaluation step is identified and executed.
Incident response plan referencing Rule 4530 evaluation; any actual 4530 filings made in connection with cyber events.
Requires firms to detect and report suspicious transactions.
Integrate cybercrime indicators into AML monitoring — credential-stuffing patterns, anomalous logins, transactions following phishing-induced compromises. See FinCEN Advisory FIN-2016-A005 on cyber events and cyber-enabled crime.
Coordination between the AML monitoring platform and the firm's identity / Conditional Access logs; flagging procedures for transactions that follow anomalous authentication events.
Sample review of recent SARs (if any) and AML alerts to confirm cyber indicators are being considered.
AML program documentation reflecting cyber indicators; SARs filed in connection with cyber events.
These are foundational rules whose cybersecurity impact is principles-based rather than prescriptive. Operations personnel must demonstrate competence in secure data handling; material cybersecurity lapses can support violations of Rule 2010 even when no specific cyber rule is cited.
23 NYCRR Part 500 applies to entities licensed, registered, or chartered under New York Banking Law, Insurance Law, or Financial Services Law. The Second Amendment was finalized November 1, 2023; all transitional periods have now closed. The final phase of the Second Amendment — expanded multi-factor authentication and written asset inventory procedures — took effect November 1, 2025. The annual Certification of Material Compliance for calendar year 2025 was due April 15, 2026, signed by the covered entity's highest-ranking executive and CISO (or, if there is no CISO, the senior officer responsible for the cybersecurity program).
Key requirements include:
The firm must operate a comprehensive cybersecurity program covering governance, risk assessment, access controls, encryption, training, vendor oversight, incident response, and reporting — and must annually certify compliance with personal accountability resting on the firm's highest-ranking executive and the CISO. NYDFS has issued consent orders and fines (including a $30M settlement) for compliance failures, with MFA gaps among the most cited findings.
The MTradecraft baseline for an M365-centric NYDFS-covered firm:
Governance and risk:
Identity and access:
Data protection:
Detection and response:
Asset management (§500.13):
Vendor oversight:
Most state privacy laws (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, CTDPA in Connecticut, UCPA in Utah, and the growing number of similar statutes enacted since) include broad exemptions for entities subject to the Gramm-Leach-Bliley Act and personal information collected, processed, sold, or disclosed under GLBA. In practice this means most SEC-registered investment advisers and broker-dealers operate primarily under the federal regime — Reg S-P and Reg S-ID — for personal information processed in the course of providing financial services.
The exemptions are not absolute. Considerations include:
A defensible state-law posture rests on the same controls already required by Reg S-P and 23 NYCRR Part 500 — written information security program, encryption, access controls, vendor oversight, and incident response. The marginal addition is data inventory: knowing which categories of personal information the firm holds, where they reside, and which legal regime governs each category.
Annual data mapping exercise. Confirm that customer financial data, employee data, and marketing data are each identified and matched to the governing regime.
Data inventory; written information security program; vendor contracts with appropriate notification clauses; state-specific notifications, if any, sent in connection with prior incidents.
| Requirement | Primary Citation(s) | Regulator | Core Action | NIST CSF 2.0 |
|---|---|---|---|---|
| Written Cybersecurity Program | SEC Rule 206(4)-7; Reg S-P; 23 NYCRR §500.3; FINRA 3110 | SEC, NYDFS, FINRA | Maintain a current, board-approved cybersecurity policy | GV |
| Designated Cybersecurity Leader | SEC Rule 206(4)-7 (CCO); 23 NYCRR §500.4 (CISO) | SEC, NYDFS | Identify a qualified individual responsible for the program | GV |
| Risk Assessment | SEC examination practice; 23 NYCRR §500.9 | SEC, NYDFS | Document and update on material change; at least annually | ID |
| Annual Cyber Review | SEC Rule 206(4)-7; FINRA 3120; 23 NYCRR §500.3 | SEC, FINRA, NYDFS | Evaluate effectiveness; document results | ID, GV |
| Incident Response Program | Reg S-P §248.30; 23 NYCRR §500.16; FINRA 4370 | SEC, NYDFS, FINRA | Written program covering assessment, containment, recovery | RS, RC |
| Breach Notification — Individuals | Reg S-P §248.30 | SEC | 30 days from awareness of compromise of sensitive customer information | RS |
| Breach Notification — Regulator | 23 NYCRR §500.17(a) | NYDFS | 72 hours of incident determination; 24 hours for ransom payment | RS |
| Multi-Factor Authentication | 23 NYCRR §500.12; Reg S-P (implicit) | NYDFS, SEC | Phishing-resistant MFA for all users | PR |
| Encryption | 23 NYCRR §500.15; Reg S-P safeguards | NYDFS, SEC | Encryption at rest and in transit for nonpublic information | PR |
| Vendor / Third-Party Oversight | Reg S-P §248.30(b); 23 NYCRR §500.11; SEC Rule 206(4)-7 | SEC, NYDFS | DDQ, contractual safeguards, incident notification | GV, ID |
| Identity Theft Prevention | SEC Reg S-ID | SEC | Written Red Flags program; train and test | ID, DE, RS |
| Books & Records — Cyber | SEC Rule 204-2 | SEC | 5-year retention; first 2 years easily accessible | GV, PR |
| Asset Inventory | 23 NYCRR §500.13 | NYDFS | Written procedure plus maintained inventory | ID |
| Penetration Testing | 23 NYCRR §500.5 | NYDFS | Annual pen test by a qualified internal or external party | ID |
| Security Awareness Training | 23 NYCRR §500.14; FINRA 3120 | NYDFS, FINRA | Documented training with completion tracking | PR |
| Annual Certification | 23 NYCRR §500.17(b) | NYDFS | Signed by highest-ranking executive and CISO by April 15 | GV |
A firm that follows the verification guidance on this page will be better positioned to address many common examiner requests — provided the controls are implemented, documented, and reviewed in practice. The most common failure mode at small and mid-size RIAs is not the absence of policy; it is the absence of evidence that the policy has been followed.
MTradecraft's engagements are built around producing that evidence on a continuous schedule:
If your program rests on the MSP's word, on a policy document that hasn't been opened in eighteen months, or on the assumption that an examiner won't ask for evidence — the conversation worth having is whether continuous artifact production solves that problem at less than the cost of the gap.
The core SEC rules are Rule 206(4)-7 (the compliance program rule), Regulation S-P (privacy, safeguards, and incident response), Regulation S-ID (identity theft red flags), and Rule 204-2 (books and records). Broker-dealers are additionally subject to FINRA rules including 3110, 3120, 4370, 4530, and 3310. Firms operating under a New York Department of Financial Services authorization may also be covered by 23 NYCRR Part 500.
Under the 2024 amendments to Regulation S-P, a covered firm must notify affected individuals no later than 30 days after it becomes aware of an incident in which sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
The amendments became effective August 2, 2024, with tiered compliance deadlines. Larger entities — RIAs with $1.5 billion or more in assets under management, investment companies with $1 billion or more in net assets, and broker-dealers with $500,000 or more in net capital — had until December 3, 2025. Smaller entities, including RIAs under $1.5 billion in AUM, had until June 3, 2026. Both dates have now passed, so the amended rule is fully in effect for all covered institutions regardless of size.
Rule 206(4)-7 requires every SEC-registered investment adviser to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, to review them at least annually for adequacy and effectiveness, and to designate a Chief Compliance Officer to administer the program. Applied to cybersecurity, that means a written, current, annually tested compliance program supported by operational controls that produce evidence the policy is actually in force.
Regulation S-ID applies to RIAs that offer or maintain 'covered accounts' — generally accounts that permit multiple payments or transfers, such as those that let clients move funds. Those firms must maintain a written Identity Theft Prevention Program that identifies the relevant red flags, describes how the firm detects them, and defines the firm's response, and they must update it periodically.