In June 2025, the SEC formally withdrew its proposed cybersecurity rule for registered investment advisers and investment funds. This rule had been expected to become a central part of the agency’s cyber oversight approach. Originally proposed in 2022, it would have required firms to implement written cybersecurity programs, establish breach notification procedures, and publicly disclose cyber incidents using Form ADV C. The decision to withdraw this proposal reflects a significant shift in how the SEC plans to address cybersecurity risk moving forward.

While the rule was never adopted, it outlined several new obligations that would have applied to advisers and funds, including: implementation of written cybersecurity policies and procedures, annual reviews and formal oversight for investment funds, a 48 hour window to notify the SEC of significant cyber incidents, public disclosure of past breaches using a dedicated filing, comprehensive record-keeping for cyber governance and response protocols.

At the time, many viewed the rule as a formalization of expectations that were already being tested during routine examinations.

The proposal was withdrawn along with 13 other pending rules as part of a larger policy realignment under new SEC leadership. The agency did not provide a detailed explanation in its release. However, the move suggests a strategic retreat from overly prescriptive mandates. It likely reflects concerns about complexity, enforcement limitations, and the operational strain such rules would place on smaller and mid-sized firms. This development aligns with a broader regulatory philosophy that now favors principles-based guidance over fixed procedural requirements.

The withdrawal of this rule does not mean cybersecurity oversight is going away. Key developments remain in effect: amendments to Regulation SP continue to require firms to implement safeguards and notify clients of any material breach, examinations are focusing more heavily on cyber preparedness, especially vendor oversight and incident response, firms face growing exposure to reputational and legal risk in the absence of strong internal controls.

The absence of a formal rule does not reduce regulatory expectations. In many cases, it increases the importance of internal accountability. While the formal rule was shelved, its underlying concerns remain relevant. Compliance teams should view this as an opportunity to refine their cybersecurity posture using a proactive, principle-driven approach.

Firms should: revisit and strengthen their cybersecurity policies, ensure protocols are tested and understood across business units, keep incident response procedures updated and aligned with client expectations.

The SEC’s withdrawal of its proposed cybersecurity rule is a regulatory adjustment, not a dismissal of the issue itself. For firms operating in regulated environments, cybersecurity remains a core area of operational risk. Robust internal governance is now a baseline expectation for firms operating in regulated environments. It is a fundamental requirement in today’s landscape of heightened scrutiny and evolving threats.