SEC-Enforcement Cybersecurity Risk Management and Incident Disclosure

To meet the sec-enforcement cybersecurity risk management and incident disclosure requirement, you must prevent false or misleading statements about your cybersecurity program and incident handling, and you must be able to prove what you said externally matches what you actually do operationally. For RIAs, this is enforced through the SEC’s anti-fraud and Marketing Rule standard for advertisements. ¹

Key takeaways:

• Treat cybersecurity statements (website, pitch decks, DDQs, RFPs) as regulated “advertisements” and substantiate them. ¹
• Run incident triage with a documented disclosure decision record, including Compliance/Legal sign-off and timing rationale.
• Expect exam focus on Marketing Rule compliance and be ready to evidence governance, testing, and remediation. ²

Cyber risk management becomes an SEC enforcement issue when your firm’s public or client-facing statements create a gap between what you claim and what you can prove. For many advisers, the highest-risk documents are not security policies; they are investor decks, Form ADV narratives, website security pages, RFP responses, and third-party due diligence questionnaires. If any of those communications overstate controls, omit important qualifiers, or imply outcomes you cannot substantiate, the SEC can view the statement as false or misleading under the Investment Adviser Marketing Rule’s general prohibitions. ¹

Operationalizing this requirement means running two connected programs:

1. Claims governance: an inventory and review workflow for any cybersecurity-related marketing claim, plus evidence that your controls operate as described.

2. Incident governance: a repeatable process to triage incidents, assess materiality and client impact, decide what to disclose and when, and retain the decision trail.

This page is written for a CCO/GRC lead who needs to turn the requirement into checklists, owner assignments, and exam-ready artifacts, without over-building.

Requirement, plain-English interpretation, and why it matters

Plain-English interpretation

If you are an investment adviser, you cannot distribute communications that include any untrue statement of a material fact or anything “otherwise false or misleading.” That prohibition includes cybersecurity statements made in marketing materials and client communications that qualify as advertisements. ¹

For cybersecurity risk management and incident disclosure, the operational rule is:

• Say what you do.
• Do what you say.
• Prove both, after the fact, with records.

Enforcement context and risk implications (qualitative)

The SEC has made clear that Marketing Rule compliance remains an examination focus area. ² Cybersecurity claims commonly show up in marketing collateral and due diligence responses; if those claims are not controlled and substantiated, you create avoidable enforcement exposure under an anti-fraud standard. ¹

Who this applies to (entity and operational context)

In-scope entities

• Registered Investment Advisers (RIAs) disseminating advertisements, including communications to prospective clients or investors that describe firm capabilities, controls, or practices. ¹

In-scope operational contexts (where teams get burned)

• Website security/privacy statements, “security overview” pages, trust centers
• Pitch decks and DDQ/RFP responses describing controls (MFA, encryption, monitoring, DR, vendor oversight)
• Incident-related communications to clients (initial notices, follow-ups, Q&A)
• Third-party statements you repeat (e.g., “our cloud provider is certified…”): if you present it as your assurance, you still need substantiation discipline

Regulatory text

Regulatory excerpt (general prohibition): “It shall constitute a fraudulent, deceptive, or manipulative act… for any investment adviser to disseminate any advertisement that includes any untrue statement of a material fact, or that is otherwise false or misleading.” ¹

What the operator must do with this text

• Put cybersecurity claims under the same control discipline as performance claims: review, approval, substantiation, and retention.
• Define “advertisement” inputs broadly for cybersecurity: treat DDQs, RFPs, and pitch materials as regulated communications if used to solicit or retain clients.
• Maintain evidence that makes your statements defensible: policies plus proof of operating effectiveness (tickets, logs, test results, training records).

What you actually need to do (step-by-step)

Step 1: Build a cybersecurity claims inventory (the “what did we say?” file)

1. List every place you describe cybersecurity controls externally: website pages, decks, standard DDQ templates, RFP boilerplate, client letters, FAQs.
2. Extract each distinct claim into a register (one row per claim).
3. For each claim, capture:
   • Owner (security, IT, vendor management, compliance)
   • Where it appears (document name/version)
   • Exact wording
   • Required substantiation type (policy, config evidence, report, test)
   • Review cadence and next review date

Practical tip: include implied claims like “we monitor 24/7” or “all data is encrypted” because “otherwise false or misleading” captures omissions and over-broad statements. ¹

Step 2: Map each claim to controls and required proof (the “can we prove it?” file)

For each claim, define minimum acceptable evidence. Examples:

• Claim: “We require MFA for all access.”

  • Evidence: SSO/MFA policy; identity provider configuration screenshot/export; exception register with approvals; periodic access review evidence.

• Claim: “We conduct regular risk assessments.”

  • Evidence: risk assessment methodology; latest assessment report; risk register with treatment decisions; board/management reporting.

• Claim: “We have an incident response program and notify clients as appropriate.”

  • Evidence: IR plan; escalation matrix; incident log; disclosure decision logs; communications templates; post-incident review reports.

Step 3: Put a review/approval workflow in front of cybersecurity marketing content

Minimum viable workflow:

1. Draft owner (Marketing, Sales, Security) proposes language.
2. Security/GRC verifies technical accuracy and identifies required qualifiers.
3. Compliance/Legal confirms it is not misleading and that substantiation exists.
4. Final approval with version control and retention.

Exam-ready rule: if you cannot locate substantiation quickly, the claim is not ready to publish. This aligns to the anti-fraud standard for advertisements. ¹

Step 4: Operationalize incident triage and disclosure decisioning (the “what happened and why did we decide?” file)

Create an incident governance process that produces consistent records:

1. Triage criteria: define what qualifies as an incident vs. event; include third-party incidents that affect client data or critical systems.
2. Escalation: specify when Compliance/Legal must be paged (e.g., confirmed data exposure, material service outage, ransomware, regulator inquiry).
3. Decision log (required): for each significant incident, record:
   • timeline of discovery, containment, eradication, recovery
   • impacted systems, data types, clients, and third parties
   • initial assessment of client impact
   • disclosure decision, timing rationale, and approvers (Security + Compliance/Legal)
4. Client communications controls: approved templates, Q&A handling rules, and a single source of truth to avoid inconsistent statements across channels.

This is the fastest way to reduce “we said X, but internal facts show Y” risk after an incident.

Step 5: Validate that controls operate as stated

Run periodic validation so your substantiation is not stale:

• Tabletop exercises for incident response and client notification decisioning
• Targeted testing on the claims that carry the highest marketing risk (e.g., encryption coverage, MFA coverage, backups/restores, access reviews)
• Remediation tracking to closure with ownership and due dates

The Division of Examinations has stated it will focus on compliance with recently adopted SEC rules including the Marketing Rule, so build the habit of proving your statements. ²

Step 6: Make third-party dependencies explicit

If your cyber posture relies on third parties (cloud, MSP, SOC, fund administrator), your claims must match:

• your actual contract terms
• your actual oversight
• your actual monitoring

Example: If you say “we continuously monitor,” but monitoring is outsourced and you do not review alerts or reports, the claim becomes hard to defend as accurate.

Required evidence and artifacts to retain

Keep these artifacts in a single audit-ready repository (GRC tool or controlled folder with permissions and versioning):

Claims governance

• Cybersecurity claims register (inventory of statements + owner + substantiation)
• Approved versions of marketing collateral and DDQ/RFP templates
• Review/approval evidence (tickets, emails, documented sign-offs)
• Substantiation pack for each high-risk claim (policy + operating evidence)

Cyber risk management

• Cybersecurity governance standard (roles, ownership, review cadence)
• Risk assessment reports and risk register
• Control testing/tabletop results and remediation plans

Incident governance and disclosure defensibility

• Incident response plan and escalation matrix
• Incident log (all incidents and severity)
• Disclosure decision logs with Compliance/Legal approvals
• Client communications (final versions) and distribution list records
• Post-incident review reports and lessons learned

Common exam/audit questions and hangups

Expect questions that connect external statements to internal operations:

1. “Show me where you describe your cybersecurity controls to clients and how you ensure accuracy.” ¹
2. “Who approves cybersecurity language in advertisements and DDQs?” ¹
3. “Provide substantiation for your claims about MFA, encryption, monitoring, backups, and incident response.” ¹
4. “Walk through your last significant incident: timeline, escalation, client communications, and decision rationale.”
5. “How do you ensure Marketing Rule compliance remains current?” ²

Hangups that slow teams down:

• No single system of record for “what we said.”
• Security can prove controls, but cannot prove marketing review.
• Compliance can prove review, but cannot produce technical substantiation fast.

Frequent implementation mistakes (and how to avoid them)

1. Overbroad absolutes (“all,” “always,” “fully,” “guaranteed”)
   Fix: replace with scoped, testable language and document exclusions (e.g., legacy systems, approved exceptions).

2. DDQs treated as informal sales support
   Fix: route standard DDQ language through the same approval workflow as pitch decks. Advertisements cannot be false or misleading. ¹

3. Incident comms written before facts stabilize
   Fix: use staged communications with controlled language; keep a decision log that documents what was known when and who approved the message.

4. Substantiation exists, but nobody can find it
   Fix: bind each claim to a “substantiation pack” and store it alongside the approved claim wording.

Practical 30/60/90-day execution plan

First 30 days: stop the bleeding (govern claims)

• Appoint owners: Security (technical substantiation), Compliance/Legal (anti-fraud/Marketing Rule review), Marketing/Sales (content control).
• Build the first claims inventory: website + pitch deck + top DDQ template.
• Freeze unapproved cybersecurity language changes until workflow is live.
• Create a standard “substantiation checklist” for common claims (MFA, encryption, monitoring, IR).

Days 31–60: make it repeatable (incident decisioning + evidence)

• Implement incident triage severity levels and escalation triggers that include Compliance/Legal.
• Stand up the disclosure decision log template and require it for significant incidents.
• Run one tabletop exercise focused on “what we tell clients and when.”
• Create a central evidence repository with naming conventions and access controls.

Days 61–90: validate and harden (testing + remediation discipline)

• Identify your highest-risk claims and run targeted validation (prove what you say).
• Close gaps: rewrite claims where substantiation is weak, or improve the control.
• Add third-party dependency statements and verify contracts/oversight match your external language.
• Package an “exam binder”: claims register, approvals, substantiation packs, incident logs, and tabletop outputs. ²

Tooling note (where Daydream fits)

If you are managing cybersecurity statements across decks, DDQs, and client comms, Daydream can act as the system of record for the claims register, evidence attachments, approval workflows, and audit-ready exports. The goal is simple: one place to show an examiner what you said, who approved it, and how you substantiated it. ¹

Frequently Asked Questions

Does this apply only to advertisements, or also to DDQs and RFPs?

The requirement applies to “advertisements” that contain untrue or misleading statements. ¹ Many firms treat DDQs/RFP responses used to win or retain clients as within scope for marketing controls because they are client-facing claims that must be substantiated.

What’s the minimum I need to retain to defend a cybersecurity claim?

Keep the exact approved wording, the approver trail, and substantiation that ties the claim to real operating evidence (configs, logs, test results). The standard is that the statement cannot be untrue or misleading. ¹

How do we handle “aspirational” language like “we aim to” or “we seek to”?

Aspirational phrasing reduces risk, but it does not eliminate it if the overall impression is misleading. Keep it specific, add scope/limits, and retain evidence that your program aligns with the claim’s direction. ¹

Who should approve cybersecurity language: Security or Compliance?

Both. Security validates technical truth; Compliance/Legal evaluates whether the statement could be misleading and whether substantiation is retained under a Marketing Rule standard. ¹

What’s the most common incident disclosure control gap?

Missing decision records. Teams may notify some clients quickly, delay others, or revise the narrative without capturing what was known at the time and who approved the message. A disclosure decision log fixes that.

How do exam priorities affect what I should focus on this quarter?

The SEC’s Division of Examinations has stated a focus on compliance with recently adopted SEC rules including the Marketing Rule. ² Practically, that means your marketing and client-facing cybersecurity statements should be reviewable, consistent, and provable on request.

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Arizona Investment Adviser Advertising Rules and Disclosure Requirements
• Best Execution: 2025 Standards (SEC Trend)
• Best Execution: Fiduciary Duty (SEC 206)
• Best Execution: Trade Allocation (SEC 206)

Footnotes

1. 17 CFR 275.206(4)-1

2. 2025-exam-priorities