Cybersecurity Under the Microscope: What the SEC’s 2025 Exam Priorities and Reg S-P Updates Mean for Private Fund Managers

Fizza Khan, CEO, Nicholas Nunez, Managing Director & Head of Regulatory Compliance and Michael Regan, Director of Cybersecurity Compliance, at Silver Regulatory Associates

In 2025, cybersecurity is no longer a peripheral concern for private fund managers, it’s a regulatory centerpiece. Following a surge in high-profile breaches, shifting threat landscapes and mounting investor concern over operational risks, the Securities and Exchange Commission (SEC) has sharpened its oversight of cybersecurity across the financial sector.

Two major regulatory developments in 2024 demonstrate this shift: the SEC Division of Examinations’ 2025 Exam Priorities and the finalized amendments to Regulation S-P (Reg S-P). The exam priorities made information security and operational resiliency a critical theme, highlighting the need for cybersecurity policies and procedures that go beyond “check-the-box” compliance. Additionally, the Reg S-P amendments, finalized in mid-2024, introduced specific requirements for safeguarding client and investor data and responding to cyber incidents. Together, these developments signal an elevation in both scrutiny and standards.

Cybersecurity is no longer a side conversation or an IT-only issue. It’s now a core compliance obligation, one that spans governance, operations and an investment adviser’s fiduciary duty. For private fund managers, especially those handling sensitive client and investor data and relying on complex third-party vendor networks, the regulatory bar has been raised.

Below is a roadmap of what regulatory compliance teams need to know to prepare for SEC exams in 2025 and beyond in order to avoid being caught off guard.

The SEC’s 2025 Exam Priorities: Cybersecurity Takes Center Stage

Let’s start with the SEC’s 2025 Examination Priorities. This year, cybersecurity didn’t just make the list, it is one of the bolded headlines. In fact, the Division of Examinations specifically called out areas like incident response, vendor risk, access controls and governance. For private fund managers, this signals a shift: cybersecurity is now as core to an exam as portfolio management, marketing, custody or valuation.

So, what exactly are they looking for? Examiners will focus on several key domains:

• Defined Roles and Responsibilities: Regulators expect firms to clearly define who “owns” cybersecurity. It’s not enough to say the CCO or CTO oversees it. There should be formal role designations, escalation procedures and regular reporting to senior leadership. If a vulnerability surfaces, who leads the response? How is communication coordinated across departments? Examiners may request memoranda, documented workflows and evidence of accountability.

• Annual Cyber Risk Assessments: A living risk assessment is a strategic tool. The SEC expects firms to conduct some form of annual risk assessments that identify threats, rank risk exposures and document remediation steps. These assessments should evaluate data systems, cloud services and remote access points. Firms should retain logs of how risks were prioritized and resolved or accepted, ideally with management-level visibility.

• Vendor Oversight and Third-Party Risk: Outsourced services introduce significant cybersecurity risk. Examiners will want to see how firms classify vendors by criticality and data access, what diligence was performed and how contracts address breach notification and audit rights. Expect to provide documentation related to ongoing monitoring of critical third-party service providers.

• User Training and Simulated Attacks: Cybersecurity education isn’t optional. The SEC wants proof of regular training and phishing simulations, with follow-up when employees underperform. Ideally, firms can show a decline in click-through rates over time and logs of refresher training completed for high-risk roles.
• Documented Incident Response Plans: Your Incident Response Plan (IRP) must be more than a generic template. It must be comprehensive and tested. Examiners want to see tabletop exercises, post-mortem reviews and evidence of updates based on lessons learned. Include defined decision points, like when to notify clients, investors, regulators or law enforcement. Your plan should explicitly reference Reg S-P.

In addition to reviewing written policies and procedures, SEC examiners will likely request documentation showing how policies and procedures are implemented in practice, including risk assessments, training records and remediation plans. They want to know your program is active, tested and evolving, and evidence of this will be essential.

Regulation S-P Amendments: Enhanced Safeguards and Notification Requirements

In May 2024, the SEC adopted long-anticipated amendments to Reg S-P, the primary rule governing the privacy of individuals’ nonpublic personal information maintained by certain financial institutions, including registered investment advisers. These updates mark the most significant changes to Reg S-P in over two decades.

Among the key provisions are:

• Incident Response Plan: Firms will now be required to adopt a formal incident response program that include policies and procedures covering how the firm will conduct a thorough assessment of an incident, the steps required to contain and control further unauthorized access to sensitive information and the notification of the incident to impacted individuals, in addition to ongoing oversight of service providers.
• Customer Notification Requirement: If a firm determines that a cybersecurity incident results in “substantial harm or inconvenience,” it must notify the individuals affected.  “Substantial harm or inconvenience” typically refers to sensitive nonpublic personal information that was accessed or compromised in a data breach. The firm is responsible for notifying affected individuals within 30 days “after becoming aware that the incident occurred or is reasonably likely to have occurred.” Document your decision-tree: who makes the call, based on what criteria and what internal documentation supports that judgment. Examiners could dig into incident logs and memoranda to verify your timeline.
• 72-Hour Vendor Breach Notification Rule: Service providers must notify a fund manager within 72 hours of discovering a breach that may involve the firm’s client or investor information. This creates an imperative to embed explicit notification clauses in all vendor contracts and to periodically test vendor controls through due diligence exercises. 
• Policy Enhancements: Amended Reg S-P requires written policies and procedures tailored to your business model and risk profile. Off-the-shelf templates won’t suffice. Policies must address the following: administrative, technical and physical safeguards; data classification and handling protocols; vendor oversight; incident response; and ongoing monitoring. Regular policy reviews, especially after an incident or significant business change, must be documented.

Together, these updates require a level of operational maturity that many private fund managers may not have historically maintained. Regulatory expectations now extend beyond having a policy in place; they demand proof that policies are tested, maintained and aligned with actual business practices.

Operational Implications for Private Fund Managers

For private fund managers, especially those with leaner compliance teams and high reliance on critical third-party vendors, these developments present a material shift. Compliance with the detailed spirit of the rules requires a holistic, cross-functional approach.

Below are the key areas where legal and compliance teams should focus:

• Formalize Cyber Programs: Ensure you have a documented Written Information Security Program (WISP), an IRP and a Business Continuity Plan (BCP). These documents should be specific to your systems, operations and people, and updated based on test results or business changes.
• Conduct and Document Risk Assessments: Assess your internal infrastructure and vendor ecosystem annually. Identify weaknesses, track remediation and document findings. Use these assessments to inform resource allocation and control enhancements.
• Prioritize Cyber Training and Awareness: Every employee should receive training tailored to their access level and function. Simulations and real-time testing help reinforce lessons. Maintain detailed logs of participation and re-training as needed.
• Establish Vendor Risk Frameworks: Not all vendors are equal. Classify them in tiers based on how critical they are to your business and data access, and apply enhanced diligence where needed. Require breach clauses in contracts and review compliance periodically.
• Test and Update Your IRP: Run tabletop exercises at least annually. After each test, log those lessons learned and revise your IRP. Your team should know exactly who is responsible for each step of the IRP.
• Validate Regulatory Readiness: Make sure you are aligned with current SEC guidance and strive to incorporate components of the proposed Cybersecurity Rule 206(4)-9. Even if Rule 206(4)-9 is not adopted, it appears that it may provide a preview of where exam scrutiny could be heading, particularly with the amended Reg S-P compliance dates approaching.
• Proactively Monitor and Test Systems: Vulnerability scans, penetration testing and endpoint detection tools should be standard. Document findings and demonstrate how you acted on them.

Taken together, these updates signal a shift away from principle-based guidance and toward more prescriptive enforceable cybersecurity standards.

Best Practices to Stay Ahead of the Curve

With all of these changes, it’s understandable that many private fund managers are wondering how to keep pace. To prepare for 2025 exams and future regulatory developments, private fund managers should prioritize the following best practices:

1. Develop a Cyber Governance Model: Assign ownership. Create reporting structures. Involve department heads, senior management and key stakeholders in critical decisions.  Senior management must be informed and engaged in the firm’s cybersecurity posture and response capabilities.
2. Create and Maintain an Incident Log: Document not only major incidents but also attempted attacks and near misses. This provides examiners with evidence of active monitoring.
3. Integrate Cyber into Compliance Reviews: Include cybersecurity in your firm’s annual compliance review. Cross-reference findings against legal, operational and IT functions.
4. Audit Yourself Before the SEC Does: Conduct internal audits or engage third-party consultants to simulate an SEC exam. Use the findings to patch gaps and update controls.

Final Thoughts: Preparedness as a Regulatory Imperative

The SEC’s 2025 exam priorities and the Reg S-P amendments make one thing clear: cybersecurity is no longer a peripheral concern. It is central to how firms will be evaluated, and ultimately, how they will be trusted by investors and regulators alike.

Private fund managers that treat cybersecurity as a compliance issue instead of an IT matter are better positioned to withstand scrutiny, mitigate risk and protect their clients.

Those that don’t risk more than just a deficiency letter; they risk reputational damage, legal exposure, falling short on exams or worse – becoming a case study in enforcement.

Instead, firms should view this moment as an opportunity to invest in cyber resilience and demonstrate a proactive approach to safeguarding investor assets and sensitive data. With strong policies, documented execution and continuous improvement, private fund managers can meet regulatory expectations and position themselves as trusted fiduciaries in a high-risk digital environment.

Reprinted with permission from the May 20, 2025 edition of the New York Law Journal© 2025 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or [email protected].