Cybersecurity Regulatory Reference — SEC, FINRA, and State Rules for Financial Firms.

Rule 206(4)-7 — Compliance Program Rule

1. The Rule

17 C.F.R. § 275.206(4)-7. Requires every SEC-registered investment adviser to (a) adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act, (b) review those policies at least annually for adequacy and effectiveness, and (c) designate a Chief Compliance Officer responsible for administering the program.

2. The Obligation

The firm must own a written cybersecurity compliance program that is current, effective, tested annually, and supervised by a qualified CCO. "Written" means written — not assumed, not delegated to the MSP, not described verbally. "Effective" means the firm can demonstrate that the policy is followed in practice, not just that the document exists.

3. Technology Control

The compliance program itself is a document, but its effectiveness rests on operational controls that produce evidence. In a Microsoft 365 environment, the foundational controls include:

• Documented baseline configuration for Entra ID, Exchange Online, SharePoint, and Intune
• Conditional Access policies governing user sign-in, device compliance, and risk-based authentication
• Audit logging enabled in Microsoft Purview with a defined retention period
• A documented annual cybersecurity review process with assigned owners, evidence collection, and a sign-off workflow

The technology control that operationalizes 206(4)-7 is not a single tool — it is the discipline of documenting the firm's intended security posture, configuring the tenant to enforce it, and reviewing both the document and the configuration on a fixed cadence.

4. How to Verify

The CCO should be able to answer three questions without calling the IT team or the MSP:

1. When was the cybersecurity policy last reviewed, by whom, and what changed?
2. What evidence exists that the controls described in the policy are actually in force in the production environment?
3. If the SEC asked tomorrow for the firm's annual compliance review, what would we hand them?

If the answers require a phone call, the program is paper-only. Verification at this level means scheduled drift reports comparing the current M365/Azure configuration to the documented baseline, and an annual review meeting that produces a dated, signed memorandum.

5. Evidence for Examination

• Dated, version-controlled cybersecurity policy with a clear revision history
• Annual review memorandum signed by the CCO documenting the scope, findings, and remediation status
• Configuration baseline document for the M365/Azure tenant
• Drift reports showing the tenant matches the baseline (or documenting and remediating where it does not)
• Board or senior-officer approval of the cybersecurity policy and material updates

Regulation S-P — Privacy, Safeguards, and Incident Response

1. The Rule

17 C.F.R. §§ 248.1–248.100. The 2024 amendments, effective August 2, 2024, expanded Regulation S-P substantially. Compliance deadlines are tiered:

• Larger entities — RIAs with $1.5B+ AUM, investment companies with $1B+ in net assets, and broker-dealers with $500K+ in net capital: December 3, 2025
• Smaller entities — RIAs under $1.5B AUM and most other covered entities: June 3, 2026

The amendments require covered institutions to:

• Adopt written administrative, technical, and physical safeguards to protect customer information (definition broadened to cover a wider range of nonpublic personal information)
• Develop, implement, and maintain a written incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information
• Notify affected individuals no later than 30 days after the firm becomes aware of an incident where sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization
• Oversee service providers and contractually require them to safeguard customer information and to notify the firm of incidents
• Maintain records of policies, incidents, notifications, and related compliance activities

2. The Obligation

The firm must protect customer information from unauthorized access, detect breaches when they occur, notify affected individuals within 30 days, and prove all of it with documentation. The shift from the prior version of the rule is that detection, response, recovery, vendor oversight, and individual notification are no longer best practices — they are explicit, written, testable requirements.

3. Technology Control

Safeguarding customer information (administrative, technical, physical):

• Encryption of customer data at rest in SharePoint, OneDrive, and Exchange; encryption in transit enforced via Conditional Access
• Multi-factor authentication for all users (see also NYDFS 500.12)
• Conditional Access policies blocking sign-in from unmanaged devices and untrusted locations
• Microsoft Purview Data Loss Prevention (DLP) policies that detect and block transmission of customer PII
• Sensitivity labels applied to documents containing customer information
• Role-based access controls via Entra ID groups, with least-privilege provisioning and quarterly access reviews

Incident response:

• Written incident response plan with assigned roles, communication trees, and the cyber insurance carrier's IR panel pre-documented
• Microsoft Defender XDR or equivalent EDR producing alerts that feed a documented triage process
• Defined runbooks for the most likely incident categories: business email compromise, ransomware, credential theft, third-party breach affecting firm data
• Pre-drafted notification templates for affected individuals and regulators

Service provider oversight:

• Vendor inventory listing every third party with access to customer information, with the data category accessed, contractual notification obligations, and last review date
• Standardized vendor due diligence questionnaire (DDQ) with documented review

4. How to Verify

For safeguards:

• Run a Microsoft Secure Score export and review the score and the unimplemented recommendations against the firm's documented baseline
• Pull the Entra ID sign-in logs and confirm that MFA was enforced for every authentication event in the last 90 days
• Review DLP policy reports for the volume and disposition of policy matches
• Confirm that every customer-data location (SharePoint sites, OneDrive accounts, mailbox folders) has appropriate sensitivity labels and access restrictions

For incident response:

• Conduct a tabletop exercise at least annually that walks through a realistic incident scenario from detection to individual notification, with timestamps
• Confirm that the cyber insurance carrier's IR panel contact information is current and that someone other than the CCO knows where to find it

For service provider oversight:

• Pull the vendor inventory and spot-check three vendors at random: when was their last DDQ review, do their contracts include incident notification clauses, and is their security documentation current?

5. Evidence for Examination

• Written cybersecurity policy with customer information safeguards explicitly addressed
• Written incident response program meeting the three Reg S-P minima: assessment, containment, notification
• Incident log covering attempted and successful incidents for the prior five years (see Rule 204-2)
• Notification templates and any actual notifications sent, with timestamps demonstrating the 30-day window was met
• Service provider inventory and completed DDQs
• Sample sensitivity labels and DLP policies in force
• Tabletop exercise after-action reports

Regulation S-ID — Identity Theft Red Flags

1. The Rule

17 C.F.R. § 248.201. Requires covered financial institutions and creditors to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The program must identify relevant red flags, detect them, respond appropriately, and be updated periodically.

2. The Obligation

RIAs offering or maintaining covered accounts — generally those permitting multiple payments or transactions, such as accounts where clients can transfer funds — must have a documented Red Flags program. The program must list the specific red flags the firm watches for, describe how those red flags are detected, and define the firm's response.

3. Technology Control

• Documented enumeration of red flags relevant to the firm's account types — for example: address-of-record changes followed quickly by transfer requests, mismatched IP geolocation on client logins, requests to wire funds to new beneficiary accounts
• Email security tooling (Microsoft Defender for Office 365 or equivalent) configured to detect spoofed sender addresses and impersonation attempts
• Conditional Access policies flagging risky sign-ins on client portals
• For firms with client-facing portals: identity proofing on sensitive account changes (callback verification, multi-channel confirmation)
• Logging of every red-flag event and the firm's documented response

4. How to Verify

• Annually, walk through each enumerated red flag and ask: in the past year, has this red flag been detected? If yes, how was it handled? If no, are we confident our detection mechanism works?
• Test the detection by sending a known-spoofed email from a controlled address and confirming it was flagged
• Review wire transfer authorization procedures with the operations team and confirm callback verification is occurring

5. Evidence for Examination

• Written Identity Theft Prevention Program identifying covered accounts and red flags
• Log of red flags detected and the firm's response
• Annual program review documentation
• Training records demonstrating staff have been trained on the program

Rule 204-2 — Books and Records

1. The Rule

17 C.F.R. § 275.204-2. Requires SEC-registered investment advisers to make and keep specified books and records. As applied to cybersecurity, the rule requires retention of policies, communications relating to compliance, and records evidencing the firm's compliance program for at least five years from the end of the fiscal year in which the record was created — the first two years in an easily accessible location.

2. The Obligation

The firm must retain its cybersecurity policies, incident records, communications about cyber matters, evidence of policy reviews and testing, and the underlying records of any investigation, determination, or notification made in connection with a cybersecurity incident. Five years of retention. First two years immediately accessible.

3. Technology Control

• Microsoft Purview retention policies applied to mailboxes, SharePoint, OneDrive, and Teams covering cybersecurity-relevant content for five years minimum
• Retention labels for incident response artifacts (incident logs, forensic reports, notification records, after-action memos)
• Immutable retention (preservation lock) for incident records to prevent deletion before the retention period expires
• Audit log retention configured to the maximum available under the firm's M365 license (Audit Premium provides one year by default; longer retention requires explicit configuration)
• A defined records schedule that maps every Reg S-P artifact category to a retention label and a storage location

4. How to Verify

• Pull the Purview retention policy export and confirm that mailboxes, SharePoint sites, and Teams used for compliance work are covered
• Spot-check by attempting to delete a record under retention — the system should block the deletion
• Confirm audit log retention is set correctly; the default in many M365 licenses is shorter than 204-2 requires for cybersecurity-relevant logs
• Annually, sample a record from each of the past five years and confirm it is retrievable

5. Evidence for Examination

• Written records retention policy with cybersecurity records explicitly addressed
• Purview retention policy export showing coverage and retention periods
• A retrieval test demonstrating the firm can produce a specific record from year four or five
• Audit log configuration showing retention periods
• Sample records from each year of the retention window

Advisers Act Sections 204 and 206 — General Authority

1. The Rule

Section 204 (15 U.S.C. § 80b-4) gives the SEC general recordkeeping authority over investment advisers. Section 206 (15 U.S.C. § 80b-6) is the anti-fraud provision — it prohibits any adviser from engaging in fraudulent, deceptive, or manipulative practices.

2. The Obligation

The firm must not misrepresent its cybersecurity posture to clients, prospects, or regulators. Marketing claims about security, statements in Form ADV, and responses to client DDQs must be accurate and substantiable. A breach that affected client data must be disclosed when disclosure is required; misleading statements about a breach, or about controls that do not exist, are enforceable as fraud regardless of whether a specific cyber rule was violated.

3. Technology Control

This rule is governed primarily by process, not technology, but technology supports it:

• Every public claim about cybersecurity (in Form ADV, RFP responses, DDQ answers, marketing materials) is supported by an internal artifact demonstrating the claim is true
• Statements like "we use multi-factor authentication" are backed by an Entra ID Conditional Access export showing MFA enforcement
• Statements like "we encrypt customer data" are backed by encryption configuration evidence
• A defined review process before any cybersecurity statement is published externally

4. How to Verify

• Pull the firm's current Form ADV and identify every cybersecurity-related statement
• For each statement, locate the supporting evidence
• If supporting evidence cannot be produced within thirty minutes, the statement is at risk

5. Evidence for Examination

• Mapped index of public cybersecurity claims and supporting evidence
• Review and approval workflow for cybersecurity marketing content
• Documentation of any disclosure or notification made under Reg S-P or related obligations

Rule 206(4)-9 — Cybersecurity Risk Management (Withdrawn)

Why this still matters

The proposed rule articulated the SEC's view of what a mature RIA cybersecurity program should look like — written policies, annual reviews, 48-hour incident reporting on a proposed Form ADV-C, vendor access governance. The withdrawal removed the prescriptive deadline; it did not remove examiner expectations. The proposal remains a useful indicator of the SEC staff's prior policy direction and overlaps heavily with current obligations under Reg S-P (as amended), Rule 206(4)-7, and Rule 204-2.

For programs already built to those rules there is no operational gap created by the withdrawal. Firms that built their programs assuming 206(4)-9 would never arrive are usually under-prepared for current examination expectations regardless.

Rule 3110 — Supervision

The Rule

Requires firms to establish and maintain a supervisory system reasonably designed to achieve compliance with applicable securities laws and FINRA rules.

Cybersecurity Obligation

The supervisory system must cover cybersecurity hygiene: access reviews, vendor technology decisions, supervision of associated persons' use of firm technology, and staff training. Common exam findings include outdated policies and missing periodic access reviews.

Technology Control

Quarterly Entra ID access reviews using Microsoft Entra Access Reviews; documented onboarding and offboarding workflows; periodic supervisory reviews of cybersecurity training completion and policy attestation.

Verification

Pull the Access Reviews report. Confirm that every reviewer completed every review, that decisions were documented, and that access changes were enforced. Confirm cybersecurity training completion rate exceeds the firm's documented threshold.

Evidence

Quarterly access review reports, training completion reports, supervisory review memoranda.

Rule 3120 — Supervisory Control System

The Rule

Requires annual testing and verification of supervisory controls.

Cybersecurity Obligation

Annual supervisory reviews should include cybersecurity exercises appropriate to the firm's risk profile — typical examples include phishing simulations, tabletop drills, and vendor evaluations.

Technology Control

Phishing simulation platform (FieldCraft or equivalent) running monthly campaigns; documented tabletop exercise program; vendor review schedule aligned to annual cycle.

Verification

Annual phishing simulation results with click rates and remediation; tabletop exercise after-action reports; vendor review log.

Evidence

Annual supervisory control test report covering cybersecurity exercises; phishing simulation history; tabletop exercise documentation.

Rule 4370 — Business Continuity Plans

The Rule

Requires written business continuity plans for significant business disruptions.

Cybersecurity Obligation

The BCP must explicitly cover cyber incidents — ransomware, distributed denial of service, prolonged platform outages — and must include recovery procedures, testing cadence, and response protocols.

Technology Control

Documented recovery time and recovery point objectives for critical systems; Microsoft 365 backup solution (native retention is not a backup — see the "M365 as a Books and Records issue" topic in The BrainTrust); tested failover procedures.

Verification

Annual BCP test that exercises the cyber incident scenarios specifically. Confirm that backups are tested by performing a real restore — not by inspecting the backup console.

Evidence

Current BCP with cyber scenarios; annual BCP test report; restore test documentation.

Rule 4530 — Reporting Requirements

The Rule

Requires firms to report specified events to FINRA, including certain customer complaints and disciplinary actions.

Cybersecurity Obligation

Rule 4530 is not a standalone cyber-incident reporting rule. The obligation, when a cybersecurity event occurs, is to evaluate whether the event triggers one of the rule's enumerated reporting categories — for example, customer complaints, internal discipline arising from a cyber incident, or other reportable events. Coordinate with legal counsel promptly when that evaluation is in play.

Technology Control

Process control. Incident response plan must include a Rule 4530 evaluation step at the appropriate stage of an incident.

Verification

During tabletop exercises, confirm the 4530 evaluation step is identified and executed.

Evidence

Incident response plan referencing Rule 4530 evaluation; any actual 4530 filings made in connection with cyber events.

Rule 3310 — AML Compliance Program

The Rule

Requires firms to detect and report suspicious transactions.

Cybersecurity Obligation

Integrate cybercrime indicators into AML monitoring — credential-stuffing patterns, anomalous logins, transactions following phishing-induced compromises. See FinCEN Advisory FIN-2016-A005 on cyber events and cyber-enabled crime.

Technology Control

Coordination between the AML monitoring platform and the firm's identity / Conditional Access logs; flagging procedures for transactions that follow anomalous authentication events.

Verification

Sample review of recent SARs (if any) and AML alerts to confirm cyber indicators are being considered.

Evidence

AML program documentation reflecting cyber indicators; SARs filed in connection with cyber events.

Rule 1220(b)(3) — Operations Professional, and Rule 2010 — Standards of Commercial Honor

These are foundational rules whose cybersecurity impact is principles-based rather than prescriptive. Operations personnel must demonstrate competence in secure data handling; material cybersecurity lapses can support violations of Rule 2010 even when no specific cyber rule is cited.

23 NYCRR Part 500 — NYDFS Cybersecurity Regulation

1. The Rule

23 NYCRR Part 500 applies to entities licensed, registered, or chartered under New York Banking Law, Insurance Law, or Financial Services Law. The Second Amendment was finalized November 1, 2023; all transitional periods have now closed. The final phase of the Second Amendment — expanded multi-factor authentication and written asset inventory procedures — took effect November 1, 2025. The annual Certification of Material Compliance for calendar year 2025 was due April 15, 2026, signed by the covered entity's highest-ranking executive and CISO (or, if there is no CISO, the senior officer responsible for the cybersecurity program).

Key requirements include:

• §500.3 — Written cybersecurity policy, annually approved by a senior officer or the senior governing body
• §500.4 — Designation of a Chief Information Security Officer
• §500.5 — Vulnerability management: annual penetration testing by a qualified internal or external party (from both inside and outside the system boundaries); automated vulnerability scans, with manual review for systems not covered by automated scanning, at a frequency set by the firm's risk assessment and promptly after material system changes; documented monitoring, prioritization, and remediation
• §500.7 — Access privilege management, including limitations on privileged accounts; privileged access management for Class A companies
• §500.9 — Risk assessment, updated at least annually and whenever there are material changes
• §500.11 — Third-party service provider security policy
• §500.12 — Multi-factor authentication for all users (effective November 1, 2025)
• §500.13 — Asset management and data retention (effective November 1, 2025)
• §500.14 — Cybersecurity awareness training; endpoint detection and response and centralized logging for Class A companies
• §500.15 — Encryption of nonpublic information in transit and at rest
• §500.16 — Incident response and business continuity plans
• §500.17(a) — 72-hour notice to NYDFS of cybersecurity incidents; ransomware payment notice within 24 hours; notice of extortion payments within 30 days with written explanation
• §500.17(b) — Annual Certification of Material Compliance or Acknowledgment of Noncompliance, signed by the covered entity's highest-ranking executive (typically the CEO) and CISO; if the firm has no CISO, the senior officer responsible for the cybersecurity program signs in that role

2. The Obligation

The firm must operate a comprehensive cybersecurity program covering governance, risk assessment, access controls, encryption, training, vendor oversight, incident response, and reporting — and must annually certify compliance with personal accountability resting on the firm's highest-ranking executive and the CISO. NYDFS has issued consent orders and fines (including a $30M settlement) for compliance failures, with MFA gaps among the most cited findings.

3. Technology Control

The MTradecraft baseline for an M365-centric NYDFS-covered firm:

Governance and risk:

• Named CISO (internal or outsourced under §500.4)
• Written cybersecurity policy reviewed and approved annually by the senior governing body
• Risk assessment updated annually and on material change

Identity and access:

• MFA enforced via Entra ID Conditional Access for all users; NYDFS guidance flags SMS-based MFA as weaker and push-based MFA without number matching as vulnerable to push-fatigue attacks, and recommends phishing-resistant methods (FIDO2 security keys, Windows Hello for Business, certificate-based authentication) where the firm's environment supports them
• Privileged Identity Management (PIM) for all administrative roles, with just-in-time elevation, approval workflow, and audit logging
• Quarterly access reviews using Entra Access Reviews
• Automated password blocking via Entra Password Protection (banned password list)

Data protection:

• Encryption at rest enforced across SharePoint, OneDrive, Exchange (native), with customer key for Class A firms where appropriate
• TLS 1.2+ enforced on all external connections
• Microsoft Purview DLP policies and sensitivity labels for nonpublic information

Detection and response:

• Microsoft Defender XDR or equivalent EDR for Class A firms
• Microsoft Sentinel or equivalent SIEM for centralized logging (Class A requirement)
• Documented incident response plan with NYDFS 72-hour notification procedures explicitly mapped
• Annual penetration test by a qualified internal or external party, from both inside and outside the system boundaries
• Automated vulnerability scans, with manual review for systems not covered by automated scanning, at a frequency set by the risk assessment and run promptly after material system changes

Asset management (§500.13):

• Written asset inventory procedures defining update frequency, validation method, and per-asset tracking (owner, location, classification, support expiration, RTO)
• Asset inventory maintained in accordance with the written procedure

Vendor oversight:

• Third-party service provider policy under §500.11
• DDQ process with documented review

4. How to Verify

• Run an Entra ID MFA enforcement report against the full user list; the gap must be zero (excluding documented and CISO-approved compensating controls)
• Pull the PIM activation log and confirm administrative role activations are time-bound and approved
• Confirm the firm's penetration test was conducted within the last twelve months by a qualified internal or external party and that findings have been remediated or risk-accepted with documentation
• Review the §500.17(b) certification supporting documentation as it would be presented to NYDFS — does it actually demonstrate material compliance, or does it rely on assertion?
• Confirm the asset inventory matches reality — sample five assets and verify the inventory entry against the live environment

5. Evidence for Examination

• Annual Certification of Material Compliance (or Acknowledgment of Noncompliance), signed by the highest-ranking executive and CISO (or, if no CISO, by the highest-ranking executive and the senior officer responsible for the cybersecurity program)
• Written cybersecurity policy with senior-governing-body approval evidence
• Risk assessment with material-change updates documented
• Penetration test report (annual)
• Vulnerability scan reports and manual review records, with cadence consistent with the firm's risk assessment
• Asset inventory and written asset inventory procedure
• Third-party service provider policy and DDQ records
• MFA enforcement evidence
• Training records
• Incident response plan and any §500.17 notifications made

State Privacy Laws — Practical Impact for Financial Firms

Most state privacy laws (CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, CTDPA in Connecticut, UCPA in Utah, and the growing number of similar statutes enacted since) include broad exemptions for entities subject to the Gramm-Leach-Bliley Act and personal information collected, processed, sold, or disclosed under GLBA. In practice this means most SEC-registered investment advisers and broker-dealers operate primarily under the federal regime — Reg S-P and Reg S-ID — for personal information processed in the course of providing financial services.

The exemptions are not absolute. Considerations include:

• Employee data — many state privacy laws cover employee personal information separately from financial customer data, even where the firm's customer data is exempt
• Marketing data — personal information collected outside a financial service context (general marketing inquiries, prospect lists) may fall outside GLBA exemption
• Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024, with GLBA exemption similar to other state laws; firms headquartered or operating in Texas should confirm the exemption analysis given the firm's specific data flows
• Massachusetts 201 CMR 17.00 — pre-dates the modern state privacy wave and imposes written information security program requirements on entities handling Massachusetts residents' personal information

Technology Control

A defensible state-law posture rests on the same controls already required by Reg S-P and 23 NYCRR Part 500 — written information security program, encryption, access controls, vendor oversight, and incident response. The marginal addition is data inventory: knowing which categories of personal information the firm holds, where they reside, and which legal regime governs each category.

Verification

Annual data mapping exercise. Confirm that customer financial data, employee data, and marketing data are each identified and matched to the governing regime.

Evidence for Examination

Data inventory; written information security program; vendor contracts with appropriate notification clauses; state-specific notifications, if any, sent in connection with prior incidents.