The SEC Withdraws Proposed Cybersecurity Rule: What It Means for RIAs and Broker-Dealers

In a notable shift, the U.S. Securities and Exchange Commission (SEC) recently withdrew its proposed cybersecurity risk management rule for registered investment advisers (RIAs) and broker-dealers. The proposed rule, originally issued in 2022, aimed to impose comprehensive cybersecurity requirements across the investment industry. Its withdrawal signals a reconsideration of how cybersecurity should be regulated in financial markets—and offers key takeaways for compliance professionals and advisers alike.

A Recap of the Proposed Rule

The original SEC proposal sought to:

• Require firms to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks.

• Mandate prompt reporting of significant cybersecurity incidents to the SEC via a new Form ADV-C.

• Impose annual reviews and board oversight (where applicable) of cybersecurity programs.

• Introduce new disclosure obligations regarding cybersecurity risks and incidents in Form ADV Part 2A (for advisers) and Regulation S-P (for broker-dealers and funds).

The rule aimed to standardize cybersecurity governance and incident reporting across a diverse set of SEC-regulated entities.

Why the SEC Withdrew the Rule

On June 12, 2025, the SEC formally withdrew the proposed cybersecurity rule. While no single reason was cited in the withdrawal notice, a combination of factors likely played into the decision:

1. Industry Pushback: Commenters from investment advisers, broker-dealers, trade associations, and cybersecurity professionals expressed concerns about overlapping regulations, operational burdens, and vague definitions (e.g., what constitutes a 'significant incident').

2. Duplicative Regulation: Several existing frameworks already govern cybersecurity, including:   - Regulation S-P   - FINRA rules   - State-level laws (e.g., NY DFS Cybersecurity Regulation)   - Existing SEC disclosure requirements

3. Shift in Regulatory Strategy: The SEC may be reconsidering its approach to cybersecurity, possibly favoring sector-specific guidance or targeted rules.

What This Means for Firms

Even though the formal rule is off the table, cybersecurity remains a top examination and enforcement priority for the SEC and other regulators. Firms should not interpret this withdrawal as a green light to de-prioritize cybersecurity. Here’s what you should do:

Continue Strengthening Cybersecurity Policies

Ensure your firm has a comprehensive cybersecurity program tailored to your size, complexity, and threat exposure. This includes:- Access controls- Data encryption- Employee training- Incident response plans- Third-party risk management.

Document Everything

SEC examiners increasingly scrutinize not just your cybersecurity practices but also how well you document them. Keep logs of internal risk assessments, training, and incident response exercises.

Watch for Updated Guidance

While the proposed rule is gone, the SEC may issue new guidance or take a more targeted rulemaking approach. Expect updates, especially around incident disclosures and reporting thresholds.

Prepare for Exams and Enforcement

Cybersecurity will remain a focus of routine SEC exams. If your firm suffers a breach, regulators may still investigate whether your practices were “reasonable” under the circumstances, even without a formal rule.

Final Thoughts

The SEC's withdrawal of the proposed cybersecurity rule is a regulatory pivot, not a retreat. Firms should treat it as a pause, not a reprieve. The threat of cyberattacks is growing, and regulators are watching closely. Staying proactive and building a mature cybersecurity framework is the best way to protect your firm, your clients, and your regulatory standing.