SEC's 2025 Exam Priorities Include Cybersecurity and AI

On November 21, 2024, the Securities and Exchange Commission’s (SEC's) Division of Examinations (the Division) released its 2025 examination priorities. 

This year’s examinations will prioritize perennial and emerging risk areas, such as fiduciary duty, standards of conduct, cybersecurity, and artificial intelligence (AI).

Amongst other things, the Division will continue to review information security programs and operational resiliency against cybersecurity attacks in order to ensure the safeguarding of customer records and information. The Division will continue to assess cybersecurity risks and resiliency goals associated with third-party products, sub-contractors, and any information technology (IT) resources used by the business without the IT department’s approval, knowledge or oversight, or non-supported infrastructure. Furthermore, the Division will also focus on the effectiveness of incident response plans and will evaluate policies and procedures regarding the decision to disconnect or reconnect from another registrant or third-party that is experiencing a cyber event. 

The Division further stated that if advisers integrate AI into advisory operations, including portfolio management, trading, marketing, and compliance, an examination may look in-depth at compliance policies and procedures as well as disclosures to investors related to these areas.  In addition, the Division stated that it will assess whether firms have implemented adequate policies and procedures to monitor and/or supervise their use of AI, including for tasks related to fraud prevention and detection, back-office operations, anti-money laundering (AML), and trading functions, as applicable. Furthermore, the Division will examine how registrants protect against loss or misuse of client records and information that may occur from the use of third-party AI models and tools.