The U.S. Securities and Exchange Commission (SEC) has released its examination priorities for fiscal year 2025. The SEC’s Division of Examinations publishes its priorities annually to inform market participants of potential risks and to guide the financial industry on areas of regulatory focus. For the upcoming year, the SEC 2025 examination agenda will concentrate on both long-standing and emerging risks, including cybersecurity, artificial intelligence (AI), fiduciary duty, and standards of conduct.
A significant focus of the SEC 2025 priorities is cybersecurity, reflecting the growing threat of cyberattacks on the financial sector. The division will closely examine how registered entities, including investment advisers, broker-dealers, and clearing agencies, manage cybersecurity risks, particularly those that could compromise critical services, investor data, or financial stability.
SEC 2025 Examination Agenda: Cybersecurity, a Top Priority
Cybersecurity has become a central concern for the SEC 2025 examination agenda as cyberattacks grow in frequency. In 2025, the SEC will scrutinize how firms are safeguarding investor information, records, and assets against cyber threats. The focus will be on policies and procedures that govern data loss prevention, access controls, account management, and incident response.
The SEC 2025 priorities will also assess how firms respond to ransomware attacks and other cyber-related incidents. This includes evaluating their ability to detect, mitigate, and recover from cyber intrusions. Firms must ensure that their cybersecurity programs are not only comprehensive but also flexible enough to address the changing threat landscape.
Particularly concerning is the risk posed by third-party products and services, which can introduce vulnerabilities into a firm’s network. The division will review the cybersecurity risks associated with these external dependencies, especially when firms use third-party technology or infrastructure without proper oversight from their IT departments. This lack of oversight can lead to gaps in security and increase the likelihood of a breach.
As part of the examination process, the division will also evaluate alternative trading systems and their ability to protect confidential trading information. These platforms are critical to the functioning of capital markets, and any breach of trading data could have significant repercussions.
Safeguarding Critical Infrastructure
The SEC’s focus on cybersecurity extends to its examination of entities subject to Regulation Systems Compliance and Integrity (SCI). SCI entities—such as exchanges, clearinghouses, and other critical market infrastructure—are required to maintain strong systems to ensure the integrity, resiliency, and availability of their operations. These entities play a key role in ensuring the stability of the U.S. capital markets, and any disruption could have far-reaching consequences.
For 2025, the SEC will examine the policies and procedures these entities have in place to manage operational risks, including their business continuity planning and incident response capabilities. This includes reviewing how SCI entities handle inbound and outbound connectivity during cyber events. The division will assess whether these entities have the necessary tools and procedures in place to disconnect or reconnect from third parties during a cyber incident without compromising the broader market.
In addition, the SEC will evaluate the effectiveness of security management tools employed by SCI entities. These tools are essential for detecting and mitigating cyber threats, and the SEC will ensure that they are capable of meeting the security objectives of the organization.
Emerging Technologies: AI and Crypto Assets
Alongside cybersecurity, the SEC’s examination priorities for 2025 include a focus on the use of artificial intelligence (AI) in the financial industry. As AI technologies become more prevalent, the SEC is concerned with how these tools are being integrated into trading, investment, and advisory services. The division will review how firms are using AI to make decisions and whether these technologies comply with regulatory standards.
In addition, the division will continue its scrutiny of the crypto asset market, which has seen increased volatility and regulatory attention. Examinations will focus on firms offering crypto asset-related services, including whether they meet their obligations under federal securities laws. This includes reviewing the offer, sale, recommendation, and trading of crypto assets, with a particular focus on retail investors and retirement accounts.
The SEC will also evaluate how firms manage the technological risks associated with crypto assets, particularly those that involve blockchain and distributed ledger technologies. The security of these assets remains a top concern, and the division will ensure that firms have adequate controls in place to protect investor funds.
Strengthening Compliance Programs
The SEC’s examination priorities for 2025 are not limited to cybersecurity and emerging technologies. The division will also continue its focus on fiduciary duty, standards of conduct, and governance practices. Firms are encouraged to review their compliance programs to ensure they are meeting the expectations set out by the SEC.
The division will assess whether firms are following proper standards when providing investment advice or making recommendations, particularly when dealing with retail investors or retirement assets. This includes ensuring that firms understand the products they are offering and that they disclose all relevant risks to their clients.