The SEC's cybersecurity rules for investment advisers and registered investment companies, adopted in 2023, represent the most significant regulatory shift in financial services cybersecurity since the Gramm-Leach-Bliley Act's Safeguards Rule. They are not guidance. They are enforceable requirements โ and the SEC's examination division is actively looking for compliance gaps.
For Queens-area financial advisors โ whether you're a solo RIA in Forest Hills, a multi-advisor practice in Bayside, or a broker-dealer operation in Jamaica โ these rules apply to you. Understanding what's required and what constitutes a gap is not optional if you want to avoid enforcement action.
The Disclosure Requirements
For public companies and registered entities, the SEC's rules require disclosure of material cybersecurity incidents within four business days of determining that an incident is material. They also require annual disclosure of cybersecurity risk management policies, the board's oversight role, and management's cybersecurity expertise.
For investment advisers specifically, the updated Advisers Act rules require written cybersecurity policies and procedures reasonably designed to address cybersecurity risks. These must be reviewed and updated at least annually, and you must maintain records of your cybersecurity incidents.
โ ๏ธ Exam focus: SEC examination staff have specifically stated they are reviewing whether firms' written cybersecurity policies actually match their implemented practices. A policy document that doesn't reflect what you actually do is potentially worse than no policy โ it can be used as evidence of a knowing misrepresentation.
NYS DFS 23 NYCRR 500: New York's Own Cybersecurity Regulation
Financial services firms regulated by the New York State Department of Financial Services face an additional layer of compliance under 23 NYCRR 500 โ one of the most detailed state-level cybersecurity regulations in the country. The 2023 amendments significantly expanded the requirements, including new obligations for larger covered entities and stricter timelines for everyone.
Key requirements under the amended 23 NYCRR 500 include: annual penetration testing, vulnerability assessments, multi-factor authentication on all remote access and privileged accounts, encryption of nonpublic information in transit and at rest, and โ critically โ 72-hour notification to DFS of material cybersecurity events.
What Your Firm Actually Needs in Place
Financial Advisor Cybersecurity Compliance Checklist
- Written cybersecurity policy reviewed and updated annually, signed by a responsible officer
- Annual risk assessment documented and retained
- Multi-factor authentication on all systems containing customer financial data and all remote access
- Encryption of customer nonpublic information at rest and in transit
- Annual penetration test (DFS requirement) and quarterly vulnerability scans
- Incident response plan with specific notification procedures for SEC (4-day) and DFS (72-hour) timelines
- Third-party vendor oversight program with documented due diligence for vendors with access to customer data
- Annual cybersecurity training for all personnel with access to customer information
- Audit logs retained for minimum 6 years (FINRA requirement)
Wire Fraud and BEC: The Financial Sector's Biggest Cyber Threat
Regulatory compliance is the floor, not the ceiling, of financial services cybersecurity. The most financially damaging threat facing Queens financial advisors is not a regulatory violation โ it's Business Email Compromise targeting client wire transfers. Financial advisory firms are among the highest-value BEC targets because they routinely process large wire transfers on behalf of clients, and attackers specifically impersonate advisors to redirect those wires.
The controls that address BEC โ email authentication (DMARC/DKIM/SPF), MFA, advanced email threat protection, and out-of-band wire verification protocols โ also satisfy multiple regulatory requirements simultaneously. This is where a security-first IT strategy pays for itself.