STP Knowledge Hub

Shared Insights

SEC Cracks Down on Data Protection Rule Violations

December 2025

The Securities and Exchange Commission last week charged a $4 billion registered investment advisor with failing to comply with agency’s data protection and identity theft prevention rules following a cybersecurity breach that exposed customer information.

Portland, Oregon-based M Holdings Securities agreed to pay a $325,000 civil penalty after the SEC found the firm failed to adopt policies and procedures to protect customer records and information in violation Regulation S-P and Regulation S-ID, according to the SEC’s order.

“The recent enforcement action against M. Holdings under Regulation S-P is a strong indication that we may see more cases of this type across the industry,” Cynthia Kelly, managing director of compliance at STP Investment Services, said in an email. “[F]irms must not only adopt written policies and procedures to safeguard customer data, but also implement robust incident response and customer notification programs, maintain effective oversight of service providers, and ensure that the rule’s expanded definition of customer and consumer information is fully addressed.”

Read more from Cynthia Kelly and others in FundFire.

Share This:

Related Knowledge Hub Content

Shared Insights

STP mentioned in the 2024 PSA Mid-year Outlook

STP’s Dan Houlihan contributed an article to the 2024 PSA Mid-Year Outlook, which serves as a resource for financial advisors, family offices, asset managers, financial analysts, and wealth managers.

Read Dan’s thoughts about the evolution of outsourcing and what is driving trends in the middle office.

Read More   〉
Shared Insights

SEC rethinks RIA registration threshold

The acting chair of the Securities and Exchange Commission (SEC) has asked for a review of the registration threshold for RIAs, a move that compliance experts said could overburden state governments.

Since the passage of the Dodd-Frank Act by Congress in 2010, RIAs with over $100m in assets under management have largely been required to register with the SEC as opposed to a state government, up from the $25m threshold that the federal government had in place prior to the legislation. SEC acting chair Mark Uyeda in a Tuesday speech floated the idea of raising the threshold further in an environment where the SEC faces staff attrition and scrutiny of its activity from the Trump administration.

While they acknowledged the need for a new look at defining RIA size from a regulatory point of view, compliance experts expressed concern about stretching state governments too thin.

‘My first reaction was wow,’ said Lori Weston, head of compliance at STP Investment Services, referencing the possibility of a $1bn registration threshold.

‘If mid-sized is under a billion, these firms are looking at not only understanding and complying with their own principal state regulations, which vary from the Advisers Act, but also multiple other states,’ Weston said.

Read what Lori and other subject matter experts had to say here.

Read More   〉
Shared Insights

SEC Spotlights Alts and Retail Risks in Exam Priorities

The Securities and Exchange Commission’s recently released 2026 examination priorities highlight the agency’s concerns around alternative investments for retail investors.

Read More   〉
Shared Insights

Hedge Fund Launches Set to Pick Up as Extreme Volatility Wanes

Hedge fund managers are increasingly optimistic about launching new funds as anxiety over U.S. economic policies that stoked extreme volatility in financial markets earlier this year starts to ease, say market observers.

Read More   〉
background

Sign up for our newsletter to get the latest industry insights.