If you’re a Registered Investment Advisor (RIA), staying on top of regulatory changes is not just a best practice — it’s a critical part of protecting your firm and maintaining client trust.
2025 brings a wave of new and updated regulations, particularly around cybersecurity, marketing, and operational oversight. In this article, we break down the most important changes RIAs need to know to stay compliant and prepared.
1. Enhanced SEC Cybersecurity Requirements
The SEC is sharpening its focus on cybersecurity, and new rules set to take effect in 2025 will require RIAs to:
- Establish and maintain comprehensive cybersecurity policies and procedures, customized to the firm’s specific risk profile.
- Perform regular risk assessments and document findings.
- Develop formal incident response plans to address potential breaches.
- Report significant cybersecurity incidents promptly, potentially within 48 to 72 hours.
What this means for you:
If your cybersecurity plan is generic or hasn’t been updated recently, now is the time to revisit it. Examiners will expect evidence of active oversight and testing.
2. Continued Emphasis on Marketing Rule Compliance
The SEC’s new Marketing Rule (Rule 206(4)-1) is still a major focus as firms adjust. In 2025, the SEC is expected to increase enforcement activity around:
- Performance advertising, including hypothetical and model performance data.
- Testimonials and endorsements, ensuring disclosures are clear and prominent.
- Third-party ratings, which must meet specific presentation and disclosure requirements.
What this means for you:
Review all marketing materials, including websites and social media, to confirm they comply. Maintain detailed backup documentation for all performance claims and testimonials.
3. Tightened Vendor Due Diligence and Third-Party Risk Management
As firms rely more on technology providers and outsourced services, the SEC is pushing for stronger oversight of third-party vendors. New guidance emphasizes:
- Thorough initial due diligence before engaging a vendor.
- Ongoing monitoring and periodic reviews of vendor performance and security practices.
- Clear contractual obligations related to compliance and data protection.
What this means for you:
Firms must formalize vendor management programs, including documented assessments and periodic security reviews.
4. Strengthened Requirements for ESG Disclosures
RIAs offering Environmental, Social, and Governance (ESG) investment products will face closer scrutiny. The SEC is rolling out new disclosure requirements aimed at:
- Avoiding misleading ESG claims (“greenwashing”).
- Providing detailed information on ESG investment criteria and processes.
What this means for you:
If your firm promotes ESG strategies, you’ll need clear, consistent, and detailed disclosures, along with documented evidence supporting your ESG practices.
5. Increased Focus on Business Continuity and Operational Resilience
2025 also brings a push for enhanced operational resilience standards. Firms are expected to:
- Have comprehensive business continuity plans (BCPs) and test them regularly.
- Demonstrate their ability to continue critical operations during disruptions, including cyber events or natural disasters.
What this means for you:
Regularly review and update your BCP. Include cyber resilience and pandemic-related scenarios, and ensure that all staff are trained on the plan.
Preparing for 2025: Proactive Steps You Can Take
To navigate these changes confidently, RIAs should:
- Conduct a comprehensive compliance gap assessment.
- Update cybersecurity, vendor, and business continuity policies now — don’t wait for an exam.
- Revisit marketing materials and ESG disclosures in detail.
- Educate staff on new expectations and encourage a culture of compliance.
Conclusion
2025 promises to be a pivotal year for compliance in the wealth management space. By understanding and preparing for these regulatory changes now, your firm can reduce risk, protect clients, and stay ahead of examiners.
Want to make sure your firm is ready?
Download our 2025 SEC Checklist, or schedule a readiness consultation with Salus GRC today.