September 1, 2025
By Adalynn Rich
The threat of cybercrime against investors has grown significantly, and The Utah Division of Securities (“Division”) is dedicated to keeping Utah registered investment advisers informed on new cybersecurity concerns that have developed since the Division’s 2022 cybersecurity special examination. The FBI’s Annual Internet Crime Report shows that investment-related cybersecurity crimes caused nearly $6.5 billion in investor losses in 2024. Further, the Utah Cybersecurity Commission reported that in 2022 Utah victims lost over $26 million due to business email compromises, better known as phishing scams.
In 2024, the United States Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P to modernize protections for consumer financial information. Although Utah RIAs are not required to follow Reg S-P, the Division suggests that having an incident response plan similar to the one outlined by the SEC is a “best practice” that advisers should consider implementing.
- Written incident response program: Covered institutions must establish, implement, and maintain a written incident response program designed to detect, respond to, and recover from unauthorized access or use of customer information[1]. The program must include procedures for assessing the scope of the incident, containing further harm, and ensuring oversight of third-party service providers.
- Notify affected individuals: Institutions must notify affected individuals within 30 days of determining that unauthorized access to sensitive customer data has occurred or is reasonably likely to have occurred – unless the institution determines the breach is unlikely to result in substantial harm or inconvenience[2].
- Nonpublic personal information: The amendments also broaden the scope of nonpublic personal information subject to the safeguards and disposal rules, now including data received from other financial institutions[3], and require written records documenting compliance[4], except for funding portals. The annual privacy notice rule was aligned with the FAST Act exception, relieving institutions from sending annual notices when conditions are met[5]. Finally, the rules were extended to cover SEC-registered transfer agents.
Alongside recent regulatory changes, the SEC is also withdrawing previously proposed rules. The Cybersecurity Risk Management Rule would have required entities to adopt and implement written cybersecurity policies and procedures, report significant cybersecurity incidents to the SEC, and enhance disclosure of cybersecurity risks and incidents. Similar requirements, including written cybersecurity policies, incident notification to the SEC, and public disclosures, would have been imposed on a broader range of market infrastructure entities. Without these mandated disclosures, it is even more crucial for firms to proactively address cybersecurity risks, thereby safeguarding clients, registered investment advisors, and broker-dealers.
The SEC’s Division of Examinations issued a Risk Alert urging firms to apply written safeguarding policies to branch offices, not just main offices. Common failures that led to breaches included weak vendor oversight, poor email and access controls, and outdated systems. In addition, the Division has noted various concerning cybersecurity practices during examinations, including keeping passwords and other sensitive information in unsecured spreadsheets or in paper copy format on or in unsecured desks, as well as, sharing passwords to business email accounts with unregistered individuals, such as spouses.
Advisers should also be aware that the SEC has issued cease and desist orders to three major investment advisers for failing to adequately develop and implement a written identity theft programs[6] and that cybersecurity remains a major focus of all securities regulators throughout the country.
Advisers seeking to stay up-to-date with new cybersecurity developments can find information on the following FINRA webpage, and learn more about the potential for breaches with the SEC’s risk alerts page.
[1] 17 C.F.R. § 248.30(a)
[2] 17 C.F.R § 248.30(a)(3)
[3] 17 C.F.R § 248.30(a)-(b)
[4] 17 C.F.R § 248.30(d)
[5] 17 C.F.R 248.5(e)
[6] UBS Financial Services, Inc., https://www.sec.gov/files/litigation/admin/2021/ia-5781.pdf, JP Morgan Securities, LLC. https://www.sec.gov/files/litigation/admin/2022/34-95367.pdf, and TradeStation Securities, Inc., https://www.sec.gov/files/litigation/admin/2022/34-95369.pdf
