SEC’s Examination Priorities for Fiscal Year 2025: A Focus on Cybersecurity, AI, and Compliance
The U.S. Securities and Exchange Commission (SEC) has unveiled its examination priorities for fiscal year 2025, a critical roadmap for market participants and financial institutions navigating an increasingly complex regulatory landscape. Each year, the SEC’s Division of Examinations publishes these priorities to highlight potential risks and guide the financial industry on areas of regulatory focus. For 2025, the SEC will concentrate on both long-standing and emerging risks, with particular emphasis on cybersecurity, artificial intelligence (AI), fiduciary duty, and standards of conduct.
Cybersecurity: A Top Priority
As cyberattacks become more frequent and sophisticated, cybersecurity has emerged as a central concern for the SEC’s examination agenda. In 2025, the SEC will closely scrutinize how registered entities—including investment advisers, broker-dealers, and clearing agencies—manage cybersecurity risks. The focus will be on safeguarding investor information, records, and assets against cyber threats, with an emphasis on policies and procedures governing data loss prevention, access controls, account management, and incident response.
The SEC will assess how firms respond to ransomware attacks and other cyber-related incidents, evaluating their ability to detect, mitigate, and recover from cyber intrusions. Firms are expected to maintain comprehensive and flexible cybersecurity programs that can adapt to the evolving threat landscape. A significant concern is the risk posed by third-party products and services, which can introduce vulnerabilities into a firm’s network. The SEC will review the cybersecurity risks associated with these external dependencies, particularly when firms utilize third-party technology or infrastructure without adequate oversight from their IT departments.
Additionally, the SEC will evaluate alternative trading systems and their ability to protect confidential trading information. Given the critical role these platforms play in capital markets, any breach of trading data could have significant repercussions.
Safeguarding Critical Infrastructure
The SEC’s focus on cybersecurity extends to entities subject to Regulation Systems Compliance and Integrity (SCI). These entities—such as exchanges, clearinghouses, and other critical market infrastructure—are required to maintain robust systems to ensure the integrity, resiliency, and availability of their operations. The SEC will examine the policies and procedures these entities have in place to manage operational risks, including their business continuity planning and incident response capabilities.
The examination will also assess how SCI entities handle inbound and outbound connectivity during cyber events. The SEC will determine whether these entities have the necessary tools and procedures to disconnect or reconnect from third parties during a cyber incident without compromising the broader market. Furthermore, the effectiveness of security management tools employed by SCI entities will be evaluated to ensure they meet the organization’s security objectives.
Emerging Technologies: AI and Crypto Assets
In addition to cybersecurity, the SEC’s examination priorities for 2025 will focus on the integration of artificial intelligence (AI) in the financial industry. As AI technologies become more prevalent, the SEC is concerned with how these tools are being utilized in trading, investment, and advisory services. The division will review how firms leverage AI for decision-making and whether these technologies comply with regulatory standards.
The SEC will also continue its scrutiny of the crypto asset market, which has experienced increased volatility and regulatory attention. Examinations will focus on firms offering crypto asset-related services, ensuring they meet their obligations under federal securities laws. This includes reviewing the offer, sale, recommendation, and trading of crypto assets, with particular attention to retail investors and retirement accounts.
Moreover, the SEC will evaluate how firms manage the technological risks associated with crypto assets, especially those involving blockchain and distributed ledger technologies. The security of these assets remains a top concern, and the division will ensure that firms have adequate controls in place to protect investor funds.
Strengthening Compliance Programs
The SEC’s examination priorities for 2025 extend beyond cybersecurity and emerging technologies. The division will continue its focus on fiduciary duty, standards of conduct, and governance practices. Firms are encouraged to review their compliance programs to ensure they align with the expectations set forth by the SEC.
The division will assess whether firms adhere to proper standards when providing investment advice or making recommendations, particularly concerning retail investors or retirement assets. This includes ensuring that firms fully understand the products they offer and disclose all relevant risks to their clients.
Conclusion
As the financial landscape continues to evolve, the SEC’s examination priorities for fiscal year 2025 reflect a proactive approach to addressing both established and emerging risks. By focusing on cybersecurity, the integration of AI, and the management of crypto assets, the SEC aims to safeguard investor interests and maintain the integrity of the financial markets. Firms must remain vigilant and adaptable, ensuring their compliance programs are robust enough to meet the challenges of an increasingly complex regulatory environment. The SEC’s priorities serve as a crucial guide for market participants, emphasizing the importance of risk management and regulatory compliance in today’s dynamic financial ecosystem.